<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 2, 2017 at 11:34 AM, Rob Stradling <span dir="ltr"><<a href="mailto:rob.stradling@comodo.com" target="_blank">rob.stradling@comodo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 02/05/17 16:15, Ryan Sleevi wrote:<br>
<snip><span class=""><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Perhaps I explained it poorly, because that's what I was trying to<br>
describe :)<br>
</blockquote>
<br></span>
Great. Maybe I had had enough coffee. :-)<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
That is, you would not, as part of the inputs to RFC 5280, validate that<br>
Leaf was ever valid for 2.23.140.x.y.z (the user-initial-policy-set from<br>
<a href="https://tools.ietf.org/html/rfc5280#section-6.1.1" rel="noreferrer" target="_blank">https://tools.ietf.org/html/rf<wbr>c5280#section-6.1.1</a> ). But the absence of<br>
it from the Intermediate would not cause RFC 5280 validation to fail,<br></span>
assuming the anyPolicy was given in the user-initial-policy-set- it<span class=""><br>
just won't have 2.23.140.x.y.z in the resultant valid_policy_tree (<br>
<a href="https://tools.ietf.org/html/rfc5280#section-6.1.6" rel="noreferrer" target="_blank">https://tools.ietf.org/html/rf<wbr>c5280#section-6.1.6</a> )<br>
</span></blockquote>
<br>
If anyPolicy is not in the user-initial-policy-set, but the BR DV OID (for my first example) or the CA-specific EV OID (for my second example) is in the user-initial-policy-set, that would also suffice, right?</blockquote><div><br></div><div>Correct. None of the implementations today by the member browsers (except for the possibility of 360, which I've not examined) provide BR DV OIDs in the user-initial-policy-set, but 'most' will, on encountering a leaf asserting a CA-specific EV OID, will attempt to supply that policy OID in the user-initial-policy-set.</div><div><br></div><div>In both cases, the presence of an (unrelated) OID will work.</div><div><br></div><div>My remarks about the 'incorrectness' of it were with respect to the fact that, as structured and implemented (and without the intermediate asserting anyPolicy, which arguably is a desirable property - that is, to not require/encourage intermediates to assert anyPolicy), the leaf would never validate with the 2.23.140.x.y.z OID in the user-initial-policy-set.</div><div><br></div><div>It's 'effective', just 'crude', from an engineering perspective :) </div></div></div></div>