MozillaWiki

CA/EV Processing for CAs: Difference between revisions

Page Discussion

CA/EV Processing for CAs (view source)

Revision as of 00:18, 6 November 2020

879 bytes added ,  6 November 2020
Add EV TLS Capable section
(make the relationship between certificate path building and policy checking more clear)
(Add EV TLS Capable section)
Line 1: Line 1:
= EV TLS Capable =
Mozilla considers an intermediate certificate to be capable of issuing EV TLS certificates when all of the following are true. The intermediate certificate:
* either directly or transitively chains up to a root certificate included in Mozilla's root store with the TLS (Websites) trust bit turned on, and EV enabled
* is not revoked and not expired
* does not have an Extended Key Usage (EKU) extension or does have an EKU extension containing KeyPurposeIds: anyExtendedKeyUsage or id-kp-serverAuth
* has Policy Identifiers containing one or more of: 2.23.140.1.1 (CABF EV OID), 2.5.29.32.0  (anyPolicy OID), the CA's EV OIDs used by Mozilla in [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/ExtendedValidation.cpp ExtendedValidation.cpp]
* is signed by an EV TLS Capable certificate (when not directly signed by the root certificate)
= Firefox EV Processing Logic =
= Firefox EV Processing Logic =


Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1232036"