[cabf_validation] More Certificate Policy Weirdness
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed Mar 17 15:43:47 UTC 2021
On 17/3/2021 5:26 μ.μ., Ryan Sleevi wrote:
> On Wed, Mar 17, 2021 at 11:21 AM Dimitris Zacharopoulos (HARICA)
> <dzacharo at harica.gr <mailto:dzacharo at harica.gr>> wrote:
> I recall the policy OID chaining between issuing CAs and leaf
> certificates having been discussed in the past, and the result of
> that discussion was that chaining is not enforced by Browsers and
> has no applicability for the publicly-trusted TLS Certificates. If
> such a chaining requirement was enforceable by Browsers, it could
> also be used to scope certain Issuing CAs but we didn't want to
> use that method.
> No, this is completely incorrect and inconsistent with RFC 5280.
> Is there a requirement for the custom CABF OIDs to be present in
> the issuing CA Certificates if they do not have "anyPolicy" ?
> Yes, this is required by RFC 5280.
When you say it is required by RFC 5280, are you referring to
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation