CA/EV Processing for CAs
EV TLS Capable
Mozilla considers an intermediate certificate to be capable of issuing EV TLS certificates when all of the following are true. The intermediate certificate:
- is signed by an EV TLS Capable certificate (when not directly signed by the root certificate)
- either directly or transitively chains up to a root certificate included in Mozilla's root store with the TLS (Websites) trust bit turned on, and EV enabled
- is not revoked and not expired
- does not have an Extended Key Usage (EKU) extension or does have an EKU extension containing KeyPurposeIds: anyExtendedKeyUsage or id-kp-serverAuth
- has Policy Identifiers containing one or more of: 22.214.171.124.1 (CABF EV OID), 126.96.36.199.0 (anyPolicy OID), the CA's EV OIDs used by Mozilla in ExtendedValidation.cpp, or any Policy OIDs listed in ExtendedValidation.cpp for the CA certificate.
Firefox EV Processing Logic
Firefox determines whether or not to display the Extended Validation SSL UI for a given website by performing policy validation during certificate path building and verification. Firefox ships with a list of trust anchors (root certificates), some of which are each trusted for a specific EV policy OID. If Firefox can build a trusted path from the end entity certificate to a root certificate that is trusted for a particular OID and where each certificate in the chain has that policy OID in the certificatePolicies extension (or, for intermediate and root certificates, the anyPolicy OID), then that certificate is considered an EV certificate. Additional details are as follows.
Firefox is sensitive to the position of OIDs in the certificatePolicies extension of the end-entity certificate. Firefox “recognizes” a set EV policy OIDs associated with some roots from some CAs in the Mozilla Root CA Program, plus the CAB Forum EV OID (188.8.131.52.1). Firefox only attempts to build a trusted path using the first recognized EV policy OID found in the certificatePolicies extension of the end-entity certificate. Later OIDs, even if recognized by Firefox, are ignored. Thus, if path building does not succeed using that first EV OID, the certificate will not be considered EV.
Firefox matches the EV OID found in the end-entity certificate with one or more EV OIDs associated with the root in the ExtendedValidation.cpp file. In the process of running the path building algorithm, when a potential root certificate has been identified, the first recognized EV policy OID found in the end-entity certificate is compared to the EV policy OID(s) associated with the root. If they match, the candidate is a valid trust anchor, and the end-entity will be considered EV if all other checks pass. In addition, if the CAB Forum EV policy OID is the first recognized OID in the certificatePolicies extension of the end-entity certificate, EV status is granted if the root is EV-enabled for any OID.
Any Intermediate certificates in the chain must assert a policy that includes the first recognized EV policy OID found in the end-entity certificate. This means that one of the following must be true for each intermediate CA certificate in the chain:
- The certificatePolicies extensions includes the anyPolicy OID (184.108.40.206.0) (Note that if the inhibitAnyPolicy extension is present, Firefox will reject the anyPolicy OID regardless of the value set for inhibitAnyPolicy)
- The certificatePolicies extension includes the same “recognized” policy OID as Firefox chose from the end-entity certificate (either a CA-specific OID or the CAB Forum OID)
EV certificates that chain to multiple roots via cross-certification follow the rules listed above. Special care should be taken in using CA-specific EV identifiers in this situation because it is possible for there to be a mismatch between the policy Firefox chooses from the end-entity certificate and the policy associated with the root chosen by the path building algorithm. Best practice is to rely on the CAB Forum EV policy OID by placing it in the first position of all end-entity EV certificates.
An additional consideration for receiving the EV UI is that revocation checking must succeed via OCSP (or some future revocation checking mechanism) for the end-entity and intermediate CA certificate(s). If the security.OCSP.enabled preference is set to ‘0’, OCSP checking is not performed and the EV UI will not appear for otherwise valid EV certificates.