On August 25, 2008 11:38:36 am Jakob Grießmann wrote: > Hi there, > > thanks for the fast replies! When you want to make your own non-EV CA > recognized by the browser, it's easy, you just have to import your CA > as trusted root, then it works. Isn't there a similar way for EV CAs, > like producing your EV CA and simply adding it to the trusted root of > the browser? Is it much more complicated? > I believe that the list of OID's and their associated CA's that are "Certified" for EVSSL are hardcoded into the browser somewhere (perhaps in the executable, but I really have no idea). I do know that you can't just add a Root CA cert in somewhere, you also have to add your CA into the "list of trusted EVSSL providers", which is much more complicated.
This is one of the reasons that EV SSL certificates have value - it has been set up in such a way that it is very difficult (I don't like saying impossible, because someone always proves me wrong) for anyone to fake a properly issued EV SSL certificate. As Mark said in a previous reply - the only sure way to be recognised by the browsers is to set up an EVSSL CA according the the CA/Browser forum's Certificate Policy, and then pass the required audits that Microsoft, Mozilla KDE and Opera require. Hope that helps. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
