[cabf_validation] More Certificate Policy Weirdness

Ryan Sleevi sleevi at google.com
Wed Mar 17 15:46:20 UTC 2021


On Wed, Mar 17, 2021 at 11:43 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

>
>
> On 17/3/2021 5:26 μ.μ., Ryan Sleevi wrote:
>
>
>
> On Wed, Mar 17, 2021 at 11:21 AM Dimitris Zacharopoulos (HARICA) <
> dzacharo at harica.gr> wrote:
>
>>
>> I recall the policy OID chaining between issuing CAs and leaf
>> certificates having been discussed in the past, and the result of that
>> discussion was that chaining is not enforced by Browsers and has no
>> applicability for the publicly-trusted TLS Certificates. If such a chaining
>> requirement was enforceable by Browsers, it could also be used to scope
>> certain Issuing CAs but we didn't want to use that method.
>>
>
> No, this is completely incorrect and inconsistent with RFC 5280.
>
>
>> Is there a requirement for the custom CABF OIDs to be present in the
>> issuing CA Certificates if they do not have "anyPolicy" ?
>>
>
> Yes, this is required by RFC 5280.
>
>
> When you say it is required by RFC 5280, are you referring to
> https://tools.ietf.org/html/rfc5280#section-4.2.1.4 ?
>

The algorithm for validating certificates, which is consistent between both
ITU-T X.509 and RFC 5280, with respect to valid policy tree (the output
with respect to 6.1.5)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210317/d7e2a04b/attachment.html>


More information about the Validation mailing list