Addresses Issue mozilla#152 - EV certificate audit scope

mozilla#152 - mozilla#152
BenWilson-Mozilla · Oct 15, 2020 · c1acc76 · c1acc76
1 parent 5dec00e
commit c1acc76
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rootstore/policy.md b/rootstore/policy.md
@@ -236,7 +236,7 @@ apply (see section 3.1.1 for specific version numbers):
 
     * [WebTrust for CAs][WebTrust-2.0]
     * [WebTrust for CAs - SSL Baseline with Network Security][WebTrust-BRs]
-    * [WebTrust for CAs - EV SSL][WebTrust-EV] (if capable of issuing EV certificates)
+    * [WebTrust for CAs - EV SSL][WebTrust-EV] if capable of issuing EV certificates (i.e. a subordinate CA under an EV-enabled root that contains no EKU or the id-kp-serverAuth EKU or anyExtendedKeyUsage EKU, and a certificatePolicies extension that asserts the CABF EV OID of 2.23.140.1.1, the anyPolicy OID, or the CA's EV policy OID)
 
 *   For the email trust bit, a CA and all subordinate CAs technically capable
     of issuing email certificates must have all of the following audits:
@@ -258,7 +258,7 @@ If being audited to the ETSI criteria, the following audit requirements apply
     * [ETSI EN 319 411-2][ETSI-319-411-2] (QCP-w)
 
     An audit showing conformance with the EVCP policy is required if a CA is capable of issuing EV
-    certificates.
+    certificates (i.e. a subordinate CA under an EV-enabled root that contains no EKU or the id-kp-serverAuth EKU or anyExtendedKeyUsage EKU, and a certificatePolicies extension that asserts the CABF EV OID of 2.23.140.1.1, the anyPolicy OID, or the CA's EV policy OID).
 
 *   For the email trust bit, a CA and all subordinate CAs technically
     capable of issuing email certificates must have one of the