Closed Bug 1478480 Opened 2 years ago Closed 2 years ago
Sign Root CA - R6 for EV in PSM
46 bytes, text/x-phabricator-request
|Details | Review|
Per bug #1390803 the request from GlobalSign has been approved to enable the following root certificate for EV use. Please make the corresponding changes to PSM. Friendly Name: GlobalSign Root CA - R6 SHA-1 Fingerprint: 8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 SHA-256 Fingerprint: 2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69 EV Policy OID: 18.104.22.168.1 Test URL: https://valid.r6.roots.globalsign.com/
2 years ago
Assignee: nobody → dkeeler
Julie, Please confirm that we should use the GlobalSign EV OID (22.214.171.124.4.1.4146.1.1) instead of the CAB Forum EV OID (126.96.36.199.1) for enabling EV treatment for this "GlobalSign Root CA - R6" root. Background: Dana ran into a problem when adding EV treatment for GlobalSign Root CA - R6. If we want this root to be authoritative for the EV Policy OID 188.8.131.52.1, any end-entities GlobalSign issues will have to list that OID first -- which is not what we're seeing with the test site valid.r6.roots.globalsign.com. If the certificate verifier finds the GlobalSign EV OID (184.108.40.206.4.1.4146.1.1) first, it'll try to use that OID since we already have GlobalSign roots that are authoritative for it. That won't work of we've used 220.127.116.11.1 for this root -- it'll fall back to DV. So we believe we should make this root authoritative for the GlobalSign EV OID.
Julie, It sounds like there is another option... to change all GlobalSign roots to use the CABF EV OID in Firefox. However, this will only work if all existing GlobalSign EV certs contain the CABF EV OID (in addition to the GlobalSign EV OID).
Hi Kathleen, All of our active SSL EV certificates have both the GlobalSign and CA/BF OID. We will make sure to flip the OID order moving forward so the CA/BF one goes first. Thanks, Julie.
Julie, Do all of GlobalSign's EV intermediate certificates have the CABF EV Policy OID or the AnyPolicy OID? If yes, then when we add EV treatment for this root, we will change all GlobalSign occurrences in ExtendedValidation.cpp to use the CABF EV OID.
Hi Kathleen, Sorry, yes, all of those certificates have the CABF EV Policy OID. Thanks, Julie.
This patch also switches all GlobalSign EV roots to using the CA/Browser Forum EV policy OID.
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/7381bd2bb8eb enable GlobalSign Root CA - R6 for EV in PSM r=franziskus
Julie, this change is now available in Firefox Nightly. I have tested and verified EV treatment for a couple test websites, and it looks good. Please perform additional testing. https://download.mozilla.org/?product=firefox-nightly-latest-ssl&os=osx&lang=en-US Thanks, Kathleen
You need to log in before you can comment on or make changes to this bug.