Ben: Can you provide more identifying details?

Please see https://www.chromium.org/Home/chromium-security/root-ca-policy#TOC-Extended-Validation-Certificates for the Chromium EV policy

Here's more info
CA = DigiCert
OID for EV: OID=2.16.840.1.114412.2.1

CA cert names and info:
1) DigiCert Global Root G2 
SHA1 FP=DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA2 FP=CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
Audit=https://cert.webtrust.org/SealFile?seal=2230&file=pdf
Website=https://global-root-g2.chain-demos.digicert.com/

2)DigiCert Global Root G3
SHA1 FP=7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E
SHA2 FP=31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0
Audit=https://cert.webtrust.org/SealFile?seal=2230&file=pdf
Website=https://global-root-g3.chain-demos.digicert.com/

3) DigiCert Trusted Root G4
SHA1 FP=DD:FB:16:CD:49:31:C9:73:A2:03:7D:3F:C8:3A:4D:7D:77:5D:05:E4
SHA2 FP=55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88
Audit=https://cert.webtrust.org/SealFile?seal=2228&file=pdf
Website=https://trusted-root-g4.chain-demos.digicert.com/

4) DigiCert Global Root CA
SHA1 FP=A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA2 FP=43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61
Audit=https://cert.webtrust.org/SealFile?seal=2230&file=pdf
Website=https://global-root-ca.chain-demos.digicert.com/

5) DigiCert Assured ID Root CA
SHA-1 Fingerprint	
05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
SHA-256 Fingerprint	
3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C
Audit=https://cert.webtrust.org/SealFile?seal=2230&file=pdf
Website=https://assured-id-root-ca.chain-demos.digicert.com/

6) DigiCert Assured ID Root G2
SHA-1 Fingerprint	
A1:4B:48:D9:43:EE:0A:0E:40:90:4F:3C:E0:A4:C0:91:93:51:5D:3F
SHA-256 Fingerprint	
7D:05:EB:B6:82:33:9F:8C:94:51:EE:09:4E:EB:FE:FA:79:53:A1:14:ED:B2:F4:49:49:45:2F:AB:7D:2F:C1:85
Audit=https://cert.webtrust.org/SealFile?seal=2230&file=pdf
Website=https://www.digicert.com/digicert-root-certificates.htm

7) DigiCert Assured ID Root G3
SHA-1 Fingerprint	
F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89
SHA-256 Fingerprint	
7E:37:CB:8B:4C:47:09:0C:AB:36:55:1B:A6:F4:5D:B8:40:68:0F:BA:16:6A:95:2D:B1:00:71:7F:43:05:3F:C2
Audit=https://cert.webtrust.org/SealFile?seal=2230&file=pdf
Website=https://assured-id-root-g3.chain-demos.digicert.com/

This is, of course, in addition to the DigiCert High Assurance root already included.

asymmetric: Is there anything else we need from the reporter?

All the required info looks good; starting the CL.

Hi Ben & Jeremy,
None of the certificates hosted on the test sites listed here assert the EV OID you've provided. Can you please issue and re-install certificates containing the EV Policy OID so that we can validate the EV change before landing the code?

Devon, we've updated all the test sites except https://assured-id-root-ca.chain-demos.digicert.com to EV certificates with the proper OID. We're working on this last one.

steve.medin@, any updates?

Yes, we've set up the last demo site needed and I was just notified it is ready to test.  https://assured-id-root-ca.chain-demos.digicert.com/

asymmetric: PTAL

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3daa25b46109954c71f1a5791e3464a54b2973a6

commit 3daa25b46109954c71f1a5791e3464a54b2973a6
Author: Ryan Sleevi <rsleevi@chromium.org>
Date: Wed Feb 28 04:20:49 2018

Add EV to DigiCert Roots

Enabling EV for 5 out of 7 requested Root CAs. Remaining CAs will be
EV enabled if/when DigiCert fixes their test sites to validate changes.

Bug: crbug.com/791870

Change-Id: I0f1bf50383b2bbcaa7179d0c72ee80530ae7033b
Reviewed-on: https://chromium-review.googlesource.com/939730
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#539709}
[modify] https://crrev.com/3daa25b46109954c71f1a5791e3464a54b2973a6/net/cert/ev_root_ca_metadata.cc
[add] https://crrev.com/3daa25b46109954c71f1a5791e3464a54b2973a6/net/data/ssl/ev_roots/31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0.pem
[add] https://crrev.com/3daa25b46109954c71f1a5791e3464a54b2973a6/net/data/ssl/ev_roots/3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c.pem
[add] https://crrev.com/3daa25b46109954c71f1a5791e3464a54b2973a6/net/data/ssl/ev_roots/4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161.pem
[add] https://crrev.com/3daa25b46109954c71f1a5791e3464a54b2973a6/net/data/ssl/ev_roots/552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988.pem
[add] https://crrev.com/3daa25b46109954c71f1a5791e3464a54b2973a6/net/data/ssl/ev_roots/cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f.pem

Thanks Ryan. We are working on the issues with items 6 and 7 from comment 3. I will post a corrected URL for item 6. We are replacing certificates for these two items to use the proper policy OID.

Items 6 and 7 now have new certificates installed. Test URL is changed for item 6 to https://assured-id-root-g2.chain-demos.digicert.com. Item 7 is correct in comment #3 above.

Is this fix included in Chrome 66? The Beta version shows the ev metadata already...

Devon/Ryan, could we please advance with items 6 and 7 from the list in #3? Updated info is in #14 and #15.