Require CAs to use the CAB Forum EV Policy OID

[wthayer]

Consider requiring CAs to use the CAB Forum EV Policy OID rather than their own custom EV OID. This is already a strong SHOULD, but there are legacy issues to consider.

Discussion: https://groups.google.com/d/msg/mozilla.dev.security.policy/38fR-fiYJt0/1qnHTm8MAwAJ

EV Processing in Firefox: https://wiki.mozilla.org/CA/EV_Processing_for_CAs

[timfromdigicert]

There are also technical issues to consider, because certificates have to work in all browsers. Not all browsers treat all policy OID positions as equal (despite the fact that the RFCs don't consider order as relevant), and not all browsers recognize the CABF EV OIDs for all CAs.

[sleevi]

Note: this is being tackled in sleevi/cabforum-docs#36 for the CABF, to resolve both the requirement and the positioning, to help implementations align on interoperable behavior.

[BenWilson-Mozilla]

Section 7.1.6.4 of the Baseline Requirements states, "Effective 2020‐09‐30, a Certificate issued to a Subscriber MUST contain, within the Certificate’s certificatePolicies extension, one or more policy identifier(s) that are specified beneath the CA/Browser Forum’s reserved policy OID arc of {joint-iso-itu-t(2) international-organizations(23)ca-browser-forum(140) certificate-policies(1)} (2.23.140.1). ...
Certificate Policy Identifier: 2.23.140.1.1
If the Certificate complies with these Requirements and has been issued and operated in accordance with the CA/Browser Forum Guidelines for the Issuance and Management of Extended Validation Certificates (“EV Guidelines”)."

So, can this issue be closed? (Eventually, in the long run, Mozilla would then cease supporting CA-specific EV OIDs.)

[BenWilson-Mozilla]

Closing issue as resolved.