[cabf_validation] More Certificate Policy Weirdness

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Mar 17 15:21:18 UTC 2021

I recall the policy OID chaining between issuing CAs and leaf 
certificates having been discussed in the past, and the result of that 
discussion was that chaining is not enforced by Browsers and has no 
applicability for the publicly-trusted TLS Certificates. If such a 
chaining requirement was enforceable by Browsers, it could also be used 
to scope certain Issuing CAs but we didn't want to use that method.

Is there a requirement for the custom CABF OIDs to be present in the 
issuing CA Certificates if they do not have "anyPolicy" ?


On 17/3/2021 5:08 μ.μ., Ryan Sleevi via Validation wrote:
> As I was working through profiles, I stumbled on some additional 
> tricky issues related to the current rules of Certificate Policies, 
> which I've documented at 
> https://github.com/cabforum/servercert/issues/254 
> <https://github.com/cabforum/servercert/issues/254>
> I believe the two suggestions I offer in the issue are natural/logical 
> consequences of our existing requirements (i.e. they do not 
> impose/introduce new requirements, but clarify existing ones), but I'd 
> appreciate feedback from folks to know if they disagree with that.
> Happy to discuss on-list or on GitHub, but wanted to draw folks' 
> attention to it. My current plan is to make the proposed changes now, 
> and we can continue to discuss as part of the profiles work, but I'll 
> continue to update and adjust based on feedback if there are 
> concerns/questions/confusion.
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210317/14c19c60/attachment.html>

More information about the Validation mailing list