<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 17/3/2021 5:26 μ.μ., Ryan Sleevi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACvaWvYkmGWcwLF7V259qhTQwWCzm_ZGPMQhq1zrRn-Cc-CqXQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Mar 17, 2021 at
11:21 AM Dimitris Zacharopoulos (HARICA) <<a
href="mailto:dzacharo@harica.gr" moz-do-not-send="true">dzacharo@harica.gr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> <br>
I recall the policy OID chaining between issuing CAs and
leaf certificates having been discussed in the past, and
the result of that discussion was that chaining is not
enforced by Browsers and has no applicability for the
publicly-trusted TLS Certificates. If such a chaining
requirement was enforceable by Browsers, it could also be
used to scope certain Issuing CAs but we didn't want to
use that method.<br>
</div>
</blockquote>
<div><br>
</div>
<div>No, this is completely incorrect and inconsistent with
RFC 5280.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div> Is there a requirement for the custom CABF OIDs to be
present in the issuing CA Certificates if they do not have
"anyPolicy" ?</div>
</blockquote>
<div><br>
</div>
<div>Yes, this is required by RFC 5280.</div>
</div>
</div>
</blockquote>
<br>
When you say it is required by RFC 5280, are you referring to
<a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc5280#section-4.2.1.4">https://tools.ietf.org/html/rfc5280#section-4.2.1.4</a> ?<br>
<br>
<br>
</body>
</html>