Extended Validation support for certificates
Submitted by Xan Lopez
Link to original bug (#676210)
Description
Supporting EV for certificates would be useful for browsers or other applications willing to show the usual extra-green UI stuff in the UI (see https://github.com/gnome-design-team/gnome-mockups/raw/master/web/url-entry.png, last entry).
I assume this would go in GtlsCertificate, perhaps an 'extended-validation' property. What I've been able to figure out so far is:
-
Step 1 is to check that the certificationPolicies extension has an OID that matches the one assigned by each CA for their EV certificates. See http://en.wikipedia.org/wiki/Extended_Validation_Certificate. It seems browsers just dump that table statically, for instance Chrome has it in net/base/ev_root_ca_metadata.cc.
-
Step 2 is to verify that the certificate has not been revoke at runtime using something like OCSP. This seems to be optional (?), but done by the major browsers.
I suppose we could do a simple first patch that does step 1, and then add step 2 on top of it. GnuTLS supports OCSP since 3.0.12, so I guess we would need to bump the dependency if we want to use that.
If all this sounds reasonable I might start to implement it soon, but at the very least the bug will be useful as reference.