[cabf_validation] More Certificate Policy Weirdness
sleevi at google.com
Wed Mar 17 15:26:30 UTC 2021
On Wed, Mar 17, 2021 at 11:21 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:
> I recall the policy OID chaining between issuing CAs and leaf certificates
> having been discussed in the past, and the result of that discussion was
> that chaining is not enforced by Browsers and has no applicability for the
> publicly-trusted TLS Certificates. If such a chaining requirement was
> enforceable by Browsers, it could also be used to scope certain Issuing CAs
> but we didn't want to use that method.
No, this is completely incorrect and inconsistent with RFC 5280.
> Is there a requirement for the custom CABF OIDs to be present in the
> issuing CA Certificates if they do not have "anyPolicy" ?
Yes, this is required by RFC 5280.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation