<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
We would like to clarify the following requirement in section 7.1.2.10.5 CA Certificate Certificate Policies, specifically for cross signing certificates.</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
RFC 5280 states that you can have one CertPolicyId within the PolicyInformation, see below:</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px 0px 0px 40px; font-family: "Courier New", monospace; font-size: 9pt; color: rgb(0, 0, 0);">
<i>certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation</i></div>
<div style="margin-left: 40px; font-family: "Courier New", monospace; font-size: 9pt; color: rgb(0, 0, 0);">
<i><br>
</i></div>
<div class="elementToProof" style="margin-left: 40px; font-family: "Courier New", monospace; font-size: 9pt; color: rgb(0, 0, 0);">
<i>PolicyInformation ::= SEQUENCE {</i></div>
<div class="elementToProof" style="margin-left: 40px; font-family: "Courier New", monospace; font-size: 9pt; color: rgb(0, 0, 0);">
<i> policyIdentifier </i><b><i>CertPolicyId</i></b><i>,</i></div>
<div style="margin-left: 40px; font-family: "Courier New", monospace; font-size: 9pt; color: rgb(0, 0, 0);">
<i> policyQualifiers SEQUENCE SIZE (1..MAX) OF</i></div>
<div class="elementToProof" style="margin-left: 40px; font-family: "Courier New", monospace; font-size: 9pt; color: rgb(0, 0, 0);">
<i> PolicyQualifierInfo OPTIONAL }</i></div>
<div class="elementToProof" style="margin-left: 40px; font-family: "Courier New", monospace; font-size: 9pt; color: rgb(0, 0, 0);">
<i><br>
</i></div>
<div class="elementToProof" style="margin-left: 40px; font-family: "Courier New", monospace; font-size: 9pt; color: rgb(0, 0, 0);">
<b><i>CertPolicyId </i></b><i>::= OBJECT IDENTIFIER</i></div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Section 7.1.2.10.5 of the TLS BR states for the policyIdentifier:</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px 0px 0px 40px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<i>The CA MUST include </i><b><i><u>at least one</u></i></b><i> Reserved Certificate Policy Identifier (see Section 7.1.6.1) associated with the given Subscriber Certificate type (see Section 7.1.2.7.1) directly or transitively issued by this Certificate.</i></div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px 0px 0px 40px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
This 'at least one' seems to contradict RFC 5280 which indicates that we can only have one policyIdentifier in the PolicyInformation sequence.</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Then at the bottom of this section the TLS BRs states that entire certificate policies extension MUST contain exactly one Reserved Certificate Policy Identifier:</div>
<div style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px 0px 0px 40px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<i>Regardless of the order of PolicyInformation values, the Certificate Policies extension
</i><b><i><u>MUST contain exactly one</u></i></b><i> Reserved Certificate Policy Identifier.</i></div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px 0px 0px 40px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<i><br>
</i></div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
While we can repeat the PolicyInformation within the certificatePolicies extension does this mean that CAs are prohibited from issuing a cross signing certificate (from a multi-purpose root to another multi-purpose root) with policy contrains that include DV,
OV and EV reserved certificate policy identifiers. If our reading of this section is correct, this would mean that CAs need to issue three seperate cross signing certificates in that case.</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Paul</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.
<u>Please notify Entrust immediately and delete the message from your system.</u></i>
</body>
</html>