<div dir="ltr"><div>While reviewing the <a href="https://github.com/sleevi/cabforum-docs/pull/36">draft certificate profiles ballot</a>, I noticed that section 7.1.2.2.3 "Cross-Certified Subordinate CA Extensions" references <a href="https://github.com/sleevi/cabforum-docs/blob/profiles/docs/BR.md#712105-certificate-policies">section 7.1.2.10.5</a> for the certificatePolicies extension. This section states that the id-qt-cps (cPSuri) policy qualifier must contain:</div><div><br></div><div><i>"The HTTP or HTTPS URL for the Issuing CA's Certificate Policies,
Certification Practice Statement, Relying Party Agreement, or other
pointer to online policy information provided by the Issuing CA."</i></div><div><br></div><div>This means that the CPS link in an externally operated cross-certificate must (if present) point to the root CA's policies. I think that the cPSuri should reference the policies under which the CA certificate is operated rather than the policies of the issuing CA.</div><div><br></div><div>I asked Ryan about this and he <a href="https://github.com/sleevi/cabforum-docs/pull/36#pullrequestreview-965169715">correctly pointed out</a> that while the language is different, the same requirement exists in the current version of the BRs.</div><div><br></div><div>This is a minor issue in the grand scheme of things, but I'd like to suggest that we consider changing the requirement, or at least add some additional language to call out the non-intuitive nature of the existing requirement.<br></div><div><br></div><div>Thanks,</div><div><br></div><div>Wayne<br></div></div>