<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 2, 2017 at 11:11 AM, Rob Stradling <span dir="ltr"><<a href="mailto:rob.stradling@comodo.com" target="_blank">rob.stradling@comodo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Ryan, please could you expand on precisely how and why it's technically 'incorrect' to do, for example, the following...<br>
<br>
Root (Certificate Policies: none, so effectively anyPolicy)<br>
Intermediate (Certificate Policies: just the BR DV OID)<br>
Leaf (Certificate Policies: the BR DV OID and 2.23.140.x.y.z)<br>
<br>
...or even...<br>
<br>
Root (Certificate Policies: none, so effectively anyPolicy)<br>
Intermediate (Certificate Policies: a CA-specific EV OID)<br>
Leaf (Certificate Policies: the same EV OID and 2.23.140.x.y.z)<br>
<br>
?<br>
<br>
In other words, under what RFC5280-conforming circumstances would the fact that 2.23.140.x.y.z doesn't appear in the Intermediate certificate actually make any difference to the outcome?<br>
<br>
My reading of 5280 section 6 this morning (fueled by insufficient coffee, I have to admit) was that: each of the policy OIDs in a cert are processed independently; it's sufficient to match _just one_ OID in the Leaf and Intermediate (in my examples above, that's the BR DV OID or the CA-specific EV OID); therefore, the non-matching of 2.23.140.x.y.z would never actually matter (as long as the BR DV OID, or the CA-specific EV OID, or anyPolicy, are in the set of permitted policies).</blockquote><div><br></div><div>Perhaps I explained it poorly, because that's what I was trying to describe :)</div><div><br></div><div>That is, you would not, as part of the inputs to RFC 5280, validate that Leaf was ever valid for 2.23.140.x.y.z (the user-initial-policy-set from <a href="https://tools.ietf.org/html/rfc5280#section-6.1.1">https://tools.ietf.org/html/rfc5280#section-6.1.1</a> ). But the absence of it from the Intermediate would not cause RFC 5280 validation to fail, assuming the anyPolicy was given in the user-initial-policy-set - it just won't have 2.23.140.x.y.z in the resultant valid_policy_tree ( <a href="https://tools.ietf.org/html/rfc5280#section-6.1.6">https://tools.ietf.org/html/rfc5280#section-6.1.6</a> ) </div></div><br></div></div>