[cabfpub] PolicyMappings and EV issuance practices

Ryan Sleevi sleevi at google.com
Wed Aug 15 00:33:59 UTC 2012 

While I suspect and hope it is unlikely, I was hoping for input from
CAs issuing EV certificates regarding whether or not they issue
intermediates that make use of the PolicyMappings extension (RFC 5280,
Section 4.2.1.5) as a means to convey EV issuance policies.

>From reading the EV Guidelines through its incarnations, from version
1.0 to the current version 1.4, the language associated with EV
Subordinate CA Certificates (Section 9.3.4.1 of Version 1.4) does not
specifically reference certificatePolicies, unlike the language for
Subscriber Certificates (Section 9.3.2 of Version 1.4). Further,
Section 9.7.3 of Version 1.4 indicates that the Subscriber's
certificate MUST contain the policyIdentifier of the Issuer (the
Subordinate), rather than explicitly specifying the Root.

By reading these three sections together, I'm curious if any CAs have
interpreted these sections as permitting the Subscriber Certificate to
contain a policy OID that is not itself defined by the Root CA, but
which, by use of PolicyMappings on the Subordinate CA, maps the
Subscriber's policy OID to one of the EV policy OIDs associated with
the Root CA Certificate.

If so, it would make Section 6.2 of the Guidelines for Processing of
EV Certificates (Version 1.0) much more complicated, since an
application would not be able to tell whether or not the policy OIDs
on the Subscriber Certificate indicate an EV Issuance Policy without
first mapping the policy OIDs via a/the Subordinate CA Certificate.

Further, it's not clear from the language of Section 6.2 whether a
Subscriber certificate was meant to be distinguishable prior to RFC
5280 path processing. My concern is that it seems possible to read
this section as meaning "Distinguishable by looking at the
valid_policy_tree output following PKIX processing" (Section 6.1.6 of
RFC 5280), which would mean an application would have to construct a
number of paths before being able to determine if a Subscribe
certificate *may* be issued under an EV policy.

Have any member CAs interpreted it as such?

More information about the Public mailing list