[144516] in North American Network Operators' Group
Re: EV SSL Certs
daemon@ATHENA.MIT.EDU (Coy Hile)
Mon Sep 12 20:58:28 2011
In-Reply-To: <CAAAwwbWM3UPPYTbRcTAM9A1w0bVy0-CQStahJfBN+KV+c6extg@mail.gmail.com>
Date: Tue, 13 Sep 2011 00:57:40 +0000
From: Coy Hile <coy.hile@coyhile.com>
To: Jimmy Hess <mysidia@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Sep 12, 2011 at 11:39 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> On Mon, Sep 12, 2011 at 7:08 AM, Coy Hile <coy.hile@coyhile.com> wrote:
>> As an academic aside, exactly what would one set on his (internal)
>> root CA so that internally-trusted certs signed by that CA would show
>> up as EV certs?
>
> This is not possible without changing browser source code and recompiling
> (or debugging/editing the browser binary).
> The IDs of certificates that are allowed to sign EVSSL CAs are
> hard-wired in the browser.
> In some browsers, this also means it's impossible for an end user to
> "untrust" =A0or =A0remove
> an EVSSL CA.
>
> It also means you cannot as a site adminsitrator, make an
> administrative decision to internally
> add an internal EVSSL CA, =A0without customizing every browser.
>
> If you ask me... =A0it's shoddy software design. =A0 EVSSL CAs should be
> configurable,
> but none of the major browsers provide the knobs to =A0manually add or
> remove EVSSL
> access to/from a trusted CA.
>
Thanks. I saw something about it on TechNet. (I'm using Windows for
my internal CA). I'm guessing those instructions may work for IE
only. If I find anything interesting, I'll let you know.
