<html>
<head>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<div style="font-family: sans-serif;">
<span dir="ltr" style="margin-top:0; margin-bottom:0;">I believe sometimes we forget that the CABF is maintaining a list of "baseline requirements", so why is it problematic to have an issuing CA that is technically capable of issuing DV and OV, or OV and EV or any other combination of end-entity certificates?</span>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">I am having second thoughts about the entire "Affiliate - non-Affiliate" separation. Ultimately we are talking about the same key management and policies. Let's take a quick example.</span>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">We have two publicly-trusted Trust Service Providers A and B. TSP(A) has more ubiquity.</span>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">TSP(B) has a Root CA and, according to the requirements, Root CAs do not allow the certificatePolicies extension which practically leads to "anyPolicy".</span>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">TSP(B) issues an ICA that is technically capable of issuing all types of TLS Certificates (DV, OV, EV) using the anyPolicy value in the certificatePolicies extension. It also limits the scope to TLS using the EKU. Again, everything is by the book.</span>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">Now, TSP(B) wants to get cross signed by TSP(A) for more ubiquity. According to the current rules, the cross certificate, even for the ICA, must include only one reserved CABF OID.</span>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">Why should the rules require TSP(B) to practically change their CA structure when in fact the WebPKI approves their existing behavior?</span>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">I think it should be allowed for a CA Certificate to include more than one reserved CABF OIDs. It should be up to the TSP to decide the structure and separation of DV, OV, IV or EV per ICA and enforce it via policy OID or not.</span>
<br>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">Best regards,</span>
<br>
<br><span dir="ltr" style="margin-top:0; margin-bottom:0;">Dimitris.</span>
<br>
</div>
<div class="fairemail_quote">
<div dir="ltr" style="font-family: sans-serif">
<p>Sep 6, 2024 23:19:13 Bruce Morton via Validation <validation@cabforum.org>:</p>
</div>
<blockquote lang="EN-US" link="blue" vlink="purple" style="margin:0;word-wrap:break-word;border-left:3px solid #ccc; padding-left:10px;">
<div class="WordSection1" style="page: WordSection1;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">Hi Clint,</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">I think the requirement should apply to a certificate to a CA, which can issue CA certificates. I’m not sure of the right terminology, but I categorize this as a Root-to-Root CA or a Root-to-Intermediate CA Certificate. It would not apply to a CA certificate where the CA issues Subscriber certificates.</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">Bruce.</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;"> Validation <validation-bounces@cabforum.org> <b>On Behalf Of </b>Clint Wilson via Validation<br><b>Sent:</b> Friday, September 6, 2024 2:45 PM<br><b>To:</b> Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; CA/Browser Forum Validation SC List <validation@cabforum.org><br><b>Subject:</b> [EXTERNAL] Re: [cabf_validation] Section 7.1.2.10.5 CA Certificate Certificate Policies for cross signing certificates</span></p>
</div>
</div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;">Hi Paul,</p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
</div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;">One concern I have with this change is its impact on the cross-certification of subordinate CAs which directly issue end-entity TLS certificates. That is, I think it appropriate to maintain the requirement/limitation that only one Reserved Certificate Policy Identifier be included in the Cross-Certified Subordinate CA Certificate where the CA Certificate being signed/certified is a Subordinate CA Certificate as opposed to a Root CA Certificate.</p>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;">Since the introduction to this Profile in Section 7.1.2.2 states that the Profile is the same regardless of whether the “source” CA Certificate is a Root CA Certificate or a Subordinate CA Certificate, I <i>think</i> this newly added Section 7.1.2.2.6 would need to indicate clearly its scope of applicability against Cross-Certified Subordinate CA Certificate which are the result of issuing a CA Certificate using the same Subject Name and Subject Public Key Information as an existing Root CA Certificate.</p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;">It also seems like it may be helpful to clarify that the Certificate Policies extension defined in this newly added Section 7.1.2.2.6 needs to be compatible between the Cross-Certified Subordinate CA and its Issuing CA (though, perhaps, obvious, this would also help ensure that the separation of pre- and post-SC-062 CA Certificates is maintained, at least in the cases where the `anyPolicy` Policy Identifier is not used). I’m not entirely sure this is necessary, as I suspect it’s required elsewhere within Section 7, but I couldn’t find it in a quick search so thought I’d mention it.</p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;">Thanks!</p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;">-Clint</p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><br><br></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt;">
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;">On Sep 6, 2024, at 6:21<span style="font-family:"Arial",sans-serif;"> </span>AM, Paul van Brouwershaven via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:</p>
</div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
<div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;margin-bottom:12.0pt;"><span style="font-size:11.0pt;">Following yesterday's discussion in the validation subcommittee teleconference, we are now seeking two members to endorse the ballot. Feedback is also welcome, either here or on the pull request.</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">### Purpose of the Ballot</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">This ballot duplicates the content of section 7.1.2.10.5 (CA Certificate Certificate Policies) into section 7.1.2.2 (Cross-Certified Subordinate CA Certificate Profile) as section 7.1.2.2.6 (Cross-Certified Subordinate CA Certificate Certificate Policies), modifying the requirement from "MUST contain exactly one Reserved Certificate Policy Identifier" to "MUST include at least one Reserved Certificate Policy Identifier" to allow the inclusion of multiple Reserved Certificate Policy Identifiers in a Cross-Certified Subordinate CA Certificate.</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">The following motion has been proposed by Paul van Brouwershaven (Entrust) and endorsed by XXX (XXX) and XXX (XXX).</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">GitHub pull request for this ballot:<span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span><a href="https://github.com/cabforum/servercert/pull/544">https://github.com/cabforum/servercert/pull/544</a> </span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">### Motion begins</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">MODIFY the "Baseline Requirements for the Issuance and Management of Publicly-Trusted TLS Server Certificates" ("TLS Baseline Requirements") based on Version 2.0.6 as specified in the following redline:</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"><a href="https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...89f80028b40ce6a1a5c52b406d37e5534460a1a1">https://github.com/cabforum/servercert/compare/929d9b4a1ed1f13f92f6af672ad6f6a2153b8230...89f80028b40ce6a1a5c52b406d37e5534460a1a1</a></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">### Motion ends</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">This ballot proposes a Final Maintenance Guideline. The procedure for approval of this ballot is as follows:</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">Discussion (7+ days)</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">- Start time: TBC</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">- End time: TBC</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">Vote for approval (7 days)</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"> </span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">- Start time: TBC</span></p>
</div>
<div style="margin-left:30.0pt;-webkit-text-stroke-width: 0px;font-variant-caps: normal;word-spacing:0px;text-align:start;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">- End time: TBC</span></p>
</div>
<div class="MsoNormal" align="center" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;text-align:center;">
<hr size="2" width="803" style="width:601.95pt;" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;">From:</span></b><span class="apple-converted-space" style="mso-style-name: apple-converted-space;"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;"> </span></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;">Validation <<a href="mailto:validation-bounces@cabforum.org">validation-bounces@cabforum.org</a>> on behalf of Paul van Brouwershaven via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>><br><b>Sent:</b><span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span>Thursday, September 5, 2024 16:40<br><b>To:</b><span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span>CABforum3 <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>><br><b>Subject:</b><span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span>[EXTERNAL] [cabf_validation] Section 7.1.2.10.5 CA Certificate Certificate Policies for cross signing certificates</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;"></span></p>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;"> </span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">We would like to clarify the following requirement in section 7.1.2.10.5 CA Certificate Certificate Policies, specifically for cross signing certificates.</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">RFC 5280 states that you can have one CertPolicyId within the PolicyInformation, see below:</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><i><span style="font-size:9.0pt;font-family:"Courier New";">certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation</span></i><span style="font-size:9.0pt;font-family:"Courier New";"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:9.0pt;font-family:"Courier New";"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><i><span style="font-size:9.0pt;font-family:"Courier New";">PolicyInformation ::= SEQUENCE {</span></i><span style="font-size:9.0pt;font-family:"Courier New";"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><i><span style="font-size:9.0pt;font-family:"Courier New";"> policyIdentifier <span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span><b>CertPolicyId</b>,</span></i><span style="font-size:9.0pt;font-family:"Courier New";"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><i><span style="font-size:9.0pt;font-family:"Courier New";"> policyQualifiers SEQUENCE SIZE (1..MAX) OF</span></i><span style="font-size:9.0pt;font-family:"Courier New";"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><i><span style="font-size:9.0pt;font-family:"Courier New";"> PolicyQualifierInfo OPTIONAL }</span></i><span style="font-size:9.0pt;font-family:"Courier New";"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:9.0pt;font-family:"Courier New";"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><b><i><span style="font-size:9.0pt;font-family:"Courier New";">CertPolicyId<span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span></span></i></b><i><span style="font-size:9.0pt;font-family:"Courier New";">::= OBJECT IDENTIFIER</span></i><span style="font-size:9.0pt;font-family:"Courier New";"></span></p>
</div>
<div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">Section 7.1.2.10.5 of the TLS BR states for the policyIdentifier:</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><i><span style="font-size:11.0pt;">The CA MUST include<span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span><b><u>at least one</u></b> Reserved Certificate Policy Identifier (see Section 7.1.6.1) associated with the given Subscriber Certificate type (see Section 7.1.2.7.1) directly or transitively issued by this Certificate.</span></i><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">This 'at least one' seems to contradict RFC 5280 which indicates that we can only have one policyIdentifier in the PolicyInformation sequence.</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">Then at the bottom of this section the TLS BRs states that entire certificate policies extension MUST contain exactly one Reserved Certificate Policy Identifier:</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><i><span style="font-size:11.0pt;">Regardless of the order of PolicyInformation values, the Certificate Policies extension<span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span><b><u>MUST contain exactly one</u></b> Reserved Certificate Policy Identifier.</span></i><span style="font-size:11.0pt;"></span></p>
</div>
<div style="margin-left:30.0pt;">
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
</div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">While we can repeat the PolicyInformation within the certificatePolicies extension does this mean that CAs are prohibited from issuing a cross signing certificate (from a multi-purpose root to another multi-purpose root) with policy contrains that include DV, OV and EV reserved certificate policy identifiers. If our reading of this section is correct, this would mean that CAs need to issue three seperate cross signing certificates in that case.</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;">Paul</span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:11.0pt;"></span></p>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><i><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;">Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.<span class="apple-converted-space" style="mso-style-name: apple-converted-space;"> </span><u>Please notify Entrust immediately and delete the message from your system.</u></span></i><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;"></span></p>
</div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;">_______________________________________________<br>
Validation mailing list<br><a href="mailto:Validation@cabforum.org">Validation@cabforum.org</a><br><a href="https://lists.cabforum.org/mailman/listinfo/validation">https://lists.cabforum.org/mailman/listinfo/validation</a></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal" style="margin: 0in; font-size: 12pt; font-family: "Aptos", sans-serif;"></p>
</div>
</div>
</div>
</blockquote>
</div>
</body>
</html>