[cabf_validation] More Certificate Policy Weirdness

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Wed Mar 17 15:43:47 UTC 2021

On 17/3/2021 5:26 μ.μ., Ryan Sleevi wrote:
> On Wed, Mar 17, 2021 at 11:21 AM Dimitris Zacharopoulos (HARICA) 
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
>     I recall the policy OID chaining between issuing CAs and leaf
>     certificates having been discussed in the past, and the result of
>     that discussion was that chaining is not enforced by Browsers and
>     has no applicability for the publicly-trusted TLS Certificates. If
>     such a chaining requirement was enforceable by Browsers, it could
>     also be used to scope certain Issuing CAs but we didn't want to
>     use that method.
> No, this is completely incorrect and inconsistent with RFC 5280.
>     Is there a requirement for the custom CABF OIDs to be present in
>     the issuing CA Certificates if they do not have "anyPolicy" ?
> Yes, this is required by RFC 5280.

When you say it is required by RFC 5280, are you referring to 
https://tools.ietf.org/html/rfc5280#section- ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210317/2a65f706/attachment.html>

More information about the Validation mailing list