[cabf_validation] Profiles: cPSuri for Cross-certificates

Wayne Thayer wthayer at gmail.com
Wed May 18 22:19:57 UTC 2022

While reviewing the draft certificate profiles ballot
<https://github.com/sleevi/cabforum-docs/pull/36>, I noticed that section "Cross-Certified Subordinate CA Extensions" references section
for the certificatePolicies extension. This section states that the
id-qt-cps (cPSuri) policy qualifier must contain:

*"The HTTP or HTTPS URL for the Issuing CA's Certificate Policies,
Certification Practice Statement, Relying Party Agreement, or other pointer
to online policy information provided by the Issuing CA."*

This means that the CPS link in an externally operated cross-certificate
must (if present) point to the root CA's policies. I think that the cPSuri
should reference the policies under which the CA certificate is operated
rather than the policies of the issuing CA.

I asked Ryan about this and he correctly pointed out
that while the language is different, the same requirement exists in the
current version of the BRs.

This is a minor issue in the grand scheme of things, but I'd like to
suggest that we consider changing the requirement, or at least add some
additional language to call out the non-intuitive nature of the existing


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220518/3f326f89/attachment.html>

More information about the Validation mailing list