CA/EV Processing for CAs
Contents
EV TLS Capable
Mozilla considers an intermediate certificate to be capable of issuing EV TLS certificates when all of the following are true. The intermediate certificate:
- is signed by an EV TLS Capable certificate (when not directly signed by the root certificate)
- either directly or transitively chains up to a root certificate included in Mozilla's root store with the TLS (Websites) trust bit turned on, and EV enabled
- is not revoked and not expired
- does not have an Extended Key Usage (EKU) extension or does have an EKU extension containing KeyPurposeIds: anyExtendedKeyUsage or id-kp-serverAuth
- has the CA/Browser Forum Certificate Policy Object Identifier (OID) of 2.23.140.1.1 (CABF EV OID) or a CA-specific EV Policy OID (see explanation below).
Firefox EV Processing Logic
Firefox determines whether or not to display the Extended Validation SSL UI for a given website by performing policy validation during certificate path building and verification. Firefox ships with a list of trust anchors (root certificates), some of which are each trusted for a specific EV policy OID. If Firefox can build a trusted path from the end entity certificate to a root certificate that is trusted for a particular OID and where each certificate in the chain has that policy OID in the certificatePolicies extension (or, for intermediate and root certificates, the anyPolicy OID), then that certificate is considered an EV certificate. Additional details are as follows.
First OID
Firefox “recognizes” a set EV policy OIDs associated with some root certificates from some CAs in the Mozilla Root CA Program, plus the CAB Forum EV OID (2.23.140.1.1).
As of Firefox version 103 and later, Firefox will try to build a path with each recognized EV OID in the end-entity certificate until it finds one that works. (This change was implemented via Bugzilla #1769150)
In older Firefox versions (102 or earlier), Firefox was sensitive to the position of OIDs in the certificatePolicies extension of the end-entity certificate. Firefox would only attempt to build a trusted path using the first recognized EV policy OID found in the certificatePolicies extension of the end-entity certificate. Later OIDs, even if recognized by Firefox, were ignored. Thus, if path building does not succeed using that first EV OID, the certificate would not be considered EV.
CA-Specific OIDs
Our long-term goal is to have Firefox only recognize the CAB Forum EV policy OID (2.23.140.1.1). So we stopped adding CA-specific EV OIDs to ExtendedValidation.cpp, and are only adding the 2.23.140.1.1 EV OID for new EV-enablement requests. This page still describes Firefox's treatment of CA-specific EV OIDs because we are not currently planning to go back and change it for root certificates that already had a CA-specific EV OID. Our current plan is to let those pre-existing root certificates expire.
It is fine for the CA's certificates to also specify their CA-specific OID(s), but the 2.23.140.1.1 OID will also need to be in them. Firefox matches the EV OID found in the end-entity certificate with one or more EV OIDs associated with the root in the ExtendedValidation.cpp file. In the process of running the path building algorithm, when a potential root certificate has been identified, the recognized EV policy OID(s) found in the end-entity certificate is compared to the EV policy OID(s) associated with the root. If they match, the candidate is a valid trust anchor, and the end-entity will be considered EV if all other checks pass. In addition, if the CAB Forum EV policy OID is a recognized OID in the certificatePolicies extension of the end-entity certificate, EV status is granted if the root is EV-enabled for any OID.
Policy Constraints
Any Intermediate certificates in the chain must assert a policy that includes a recognized EV policy OID found in the end-entity certificate. This means that one of the following must be true for each intermediate CA certificate in the chain:
- The certificatePolicies extensions includes the anyPolicy OID (2.5.29.32.0) (Note that if the inhibitAnyPolicy extension is present, Firefox will reject the anyPolicy OID regardless of the value set for inhibitAnyPolicy)
- The certificatePolicies extension includes the same “recognized” policy OID as Firefox chose from the end-entity certificate (either a CA-specific OID or the CAB Forum OID)
Cross-Certification
EV certificates that chain to multiple roots via cross-certification follow the rules listed above. Special care should be taken in using CA-specific EV identifiers in this situation because it is possible for there to be a mismatch between the policy Firefox chooses from the end-entity certificate and the policy associated with the root chosen by the path building algorithm. Best practice is to rely on the CAB Forum EV policy OID by placing it in the first position of all end-entity EV certificates.
Revocation Checking
An additional consideration for receiving the EV UI is that revocation checking must succeed via OCSP (or some future revocation checking mechanism) for the end-entity and intermediate CA certificate(s). If the security.OCSP.enabled preference is set to ‘0’, OCSP checking is not performed and the EV UI will not appear for otherwise valid EV certificates.