[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: EV SSL Certificates, make our own?

> On Sat, Apr 5, 2008 at 10:32 AM, Dusty Wilson <dusty@hey.nu> wrote:
> > I'll rephrase it since I haven't heard any responses.  Is there
> > something special about an EV SSL cert or is it just a regular old SSL
> > cert with an extra attribute or flag?  I've searched all over the net
> > for a resource to help me on this, but I've hit a dead end.  Any
> > suggestions?
> >
On Sat, Apr 5, 2008 at 5:39 AM, Frederik Kriewitz <frederik@kriewitz.eu> wrote:
> There's no real difference on the technical site between the normal and EV
> certs. In Firefox 3 beta 5 EV OIDs are hard coded.
> So you will have to recompile FF and deploy the modified Version.

Oh no.  That's the nail in the coffin right there.  Does anyone know
of any plans to have these *not* hard-coded?  I can imagine that maybe
the goal is to prevent some sort of accidental trust, but hard-coding
just doesn't feel right at all to me.

Thanks Frederik; your response on this was very helpful.

(following left in for the benefit of the list)
> Currently there are 7 EV OIDs listed:
> From mozilla/security/manager/ssl/src nsIdentityChecking.cpp:
> struct nsMyTrustedEVInfo
> {
>   char *dotted_oid;
>   char *oid_name; // Set this to null to signal an invalid structure,
>                    // (We can't have an empty list, so we'll use a dummy
> entry)
>   SECOidTag oid_tag;
>   char *ev_root_sha1_fingerprint;
>   char *issuer_base64;
>   char *serial_base64;
>   CERTCertificate *cert;
>  };
>
> static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
>   {
>     // OU=Go Daddy Class 2 Certification Authority,O=\"The Go Daddy Group,
> Inc.\",C=US
>     "2.16.840.1.114413.1.7.23.3",
>      "Go Daddy EV OID a",
>     SEC_OID_UNKNOWN,
>     "27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4",
>     "MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIElu"
>      "Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRo"
>     "b3JpdHk=",
>     "AA==",
>     nsnull
>   },
>   {
>     // E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O=\"ValiCert, Inc.\",L=ValiCert Validation
> Network
>      "2.16.840.1.114413.1.7.23.3",
>     "Go Daddy EV OID a",
>     SEC_OID_UNKNOWN,
>     "31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6",
>     "MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldHdvcmsxFzAVBgNV"
>      "BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydCBDbGFzcyAyIFBv"
>     "bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaHR0cDovL3d3dy52"
>     "YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbGljZXJ0LmNvbQ==",
>      "AQ==",
>     nsnull
>   },
>   {
>     // E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O=\"ValiCert, Inc.\",L=ValiCert Validation
> Network
>      "2.16.840.1.114414.1.7.23.3",
>     "Go Daddy EV OID b",
>     SEC_OID_UNKNOWN,
>     "31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6",
>     "MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldHdvcmsxFzAVBgNV"
>      "BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydCBDbGFzcyAyIFBv"
>     "bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaHR0cDovL3d3dy52"
>     "YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbGljZXJ0LmNvbQ==",
>      "AQ==",
>     nsnull
>   },
>   {
>     // OU=Starfield Class 2 Certification Authority,O=\"Starfield
> Technologies, Inc.\",C=US
>     "2.16.840.1.114414.1.7.23.3",
>     "Go Daddy EV OID b",
>      SEC_OID_UNKNOWN,
>     "AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A",
>     "MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVz"
>     "LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9u"
>      "IEF1dGhvcml0eQ==",
>     "AA==",
>     nsnull
>   },
>   {
>     // CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert
> Inc,C=US
>      "2.16.840.1.114412.2.1",
>      "DigiCert EV OID",
>     SEC_OID_UNKNOWN,
>     "5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25",
>     "MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT"
>      "EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2ggQXNzdXJh"
>     "bmNlIEVWIFJvb3QgQ0E=",
>     "AqxcJmoLQJuPC3nyrkYldw==",
>     nsnull
>   },
>   {
>     // CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
>      "1.3.6.1.4.1.8024.0.2.100.1.2",
>     "Quo Vadis EV OID",
>     SEC_OID_UNKNOWN,
>     "CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19:93:7C:F7",
>     "MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMRswGQYD"
>      "VQQDExJRdW9WYWRpcyBSb290IENBIDI=",
>     "BQk=",
>     nsnull
>   },
>   {
>     // OU=Class 3 Public Primary Certification Authority,O=\"VeriSign,
> Inc.\",C=US
>     "2.16.840.1.113733.1.7.23.6",
>      "Verisign EV OID",
>     SEC_OID_UNKNOWN,
>     "74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2",
>     "MF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UE"
>      "CxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0"
>     "eQ==",
>     "cLrkHRDZKTS2OMp7A8y6vw==",
>     nsnull
>   },
>   {
>     // OU=Sample Certification Authority,O=\"Sample, Inc.\",C=US
>      "0.0.0.0",
>     0, // for real entries use a string like "Sample INVALID EV OID"
>     SEC_OID_UNKNOWN,
>     "00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33"
>      "Cg==",
>     "Cg==",
>     nsnull
>   }
> };
>
Reply to: