[EMAIL PROTECTED] wrote: > I have specific question to a preferred setup of a EV SSL server PKI and > how the user experience will be.
Im not the expert on this, but I can perhaps give you a preliminary answer until the experts show up. > Assume that a EV compliant primary root cert of CA X is accepted and > preinstalled in Firefox 3.x (FF3). The hierarchi is now > > CA X PCA root > | > +- CA X SSL Issuing CA > | > +- SSL server cert for _www.domain.com_ > <https://webmail.tdcwebmore.dk/plugins/html_mail/fckeditor/editor/www.domain.com> > > I guess that this is a setup without any problems and that FF3 shows it > as a EV cert as long as the issued SSL cert include the CA's reported EV > policy OID? Yes, my understanding is that this will work as long as the following is true: * The SSL cert has the proper EV policy OID value. * The cert for the CA X SSL issuing CA (subordinate to the root) has either the EV policy OID value (same value as that in the SSL server cert) or the AnyPolicy policy OID value. * The CA X PCA root cert has the EV policy OID value associated with it as metadata in Firefox 3. (In other words, we've approved the CA X PCA root for EV, and made the corresponding changes to the Firefox 3 code.) > Ever if the PCA also has non-EV subCA's? Yes. Whether the PCA has other subordinate CAs (EV or not) is irrelevant, since they are not part of the cert chain in question. > For the purpose of being backwards compatible with legacy browsers the > CA X PCA will now obtain a subcertification from a widely recognised CA > Y (e.g. Entrust.net) and the SSL server cert customers will be > encouraged to install the path > > CA Y > | > +- CA X PCA root > | > +- CA X SSL Issuing CA > | > +- SSL server cert for _www.domain.com_ > > How does the browser resolve the path and does the user still experience > the EV cert as an EV cert. In this case there are two possible paths from the SSL server cert to a trust anchor, one terminating in the CA Y root cert and another (shorter) one terminating in the CA X PCA root. My understanding is that Firefox 3 has special code that for the EV case ensures that the CA X PCA root is chosen as the trust anchor, and the SSL server cert is properly recognized as EV (assuming that the CA X PCA root is enabled for EV as described above). Note that there are real-life examples of this scenario already, and as far as I know they work fine. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
