[cabfcert_policy] certificatePolicies qualifiers

[Kurt Roeckx]

Hi,

The BR currently have this:
> #### 7.1.2.3 Subscriber Certificate
> a. certificatePolicies
> 
>     This extension MUST be present and SHOULD NOT be marked
>     critical.
> 
>     *   certificatePolicies:policyIdentifier (Required)
> 
>         A Policy Identifier, defined by the issuing CA, that
>         indicates a Certificate Policy asserting the issuing CA's
>         adherence to and compliance with these Requirements.
> 
>         The following extensions MAY be present:
> 
>         *   certificatePolicies:policyQualifiers:policyQualifierId
>             (Recommended)
> 
>             *   id-qt 1 [RFC 5280].
> 
>         *   certificatePolicies:policyQualifiers:qualifier:cPSuri
>             (Optional)
> 
>             HTTP URL for the Subordinate CA's Certification
>             Practice Statement, Relying Party Agreement or other
>             pointer to online information provided by the CA.

Where "id-qt 1" seems to be this from RFC5280:

   id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }

It's very confusing what it's trying to say.  I think it wants to
say that it can have an optional qualifier (not extension) with
an URI for the CPS and that the OID for that qualifier is id-qt-cps.

If you fill in that OID, the cPSuri is not optional.

RFC5280 also says:

>    To promote interoperability, this profile RECOMMENDS that
>    policy information terms consist of only an OID.

My understanding of the "OID" is that it talks about the
policyIdentifier, not an OID in the qualifiers.  So that it
recommends not to use qualifiers.

And so it recommend the opposite thing, not to use the qualifiers,
and so not have the URI to the CPS.  But I do find the URL to the
CPS useful.


Kurt