[cabf_validation] More Certificate Policy Weirdness

Ryan Sleevi sleevi at google.com
Wed Mar 17 15:26:30 UTC 2021

On Wed, Mar 17, 2021 at 11:21 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

> I recall the policy OID chaining between issuing CAs and leaf certificates
> having been discussed in the past, and the result of that discussion was
> that chaining is not enforced by Browsers and has no applicability for the
> publicly-trusted TLS Certificates. If such a chaining requirement was
> enforceable by Browsers, it could also be used to scope certain Issuing CAs
> but we didn't want to use that method.

No, this is completely incorrect and inconsistent with RFC 5280.

> Is there a requirement for the custom CABF OIDs to be present in the
> issuing CA Certificates if they do not have "anyPolicy" ?

Yes, this is required by RFC 5280.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210317/045885a4/attachment.html>

More information about the Validation mailing list