[cabf_validation] More Certificate Policy Weirdness
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed Mar 17 15:43:47 UTC 2021
On 17/3/2021 5:26 μ.μ., Ryan Sleevi wrote:
>
>
> On Wed, Mar 17, 2021 at 11:21 AM Dimitris Zacharopoulos (HARICA)
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
>
>
> I recall the policy OID chaining between issuing CAs and leaf
> certificates having been discussed in the past, and the result of
> that discussion was that chaining is not enforced by Browsers and
> has no applicability for the publicly-trusted TLS Certificates. If
> such a chaining requirement was enforceable by Browsers, it could
> also be used to scope certain Issuing CAs but we didn't want to
> use that method.
>
>
> No, this is completely incorrect and inconsistent with RFC 5280.
>
> Is there a requirement for the custom CABF OIDs to be present in
> the issuing CA Certificates if they do not have "anyPolicy" ?
>
>
> Yes, this is required by RFC 5280.
When you say it is required by RFC 5280, are you referring to
https://tools.ietf.org/html/rfc5280#section-4.2.1.4 ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210317/2a65f706/attachment.html>
More information about the Validation
mailing list