[cabfpub] Certificate Policies extension in Subordinate CA Certificates

Ryan Sleevi sleevi at google.com
Sun Mar 15 23:04:31 UTC 2015


---------- Forwarded message ----------
From: "Peter Bowen" <pzbowen at gmail.com>
Date: Mar 15, 2015 1:25 PM
Subject: [CABFORUM] Certificate Policies extension in Subordinate CA
Certificates
To: "Ryan Sleevi" <sleevi at google.com>
Cc:

Section 9.3.3 and Appendix B of the Baseline Requirements provide two
different sets of requirements for Subordinate CA (SubCA)
certificates.

Both break down Subordinate CA certificates into two categories: where
the SubCA is an affiliate of the Root CA and when the SubCA is not an
affiliate.

For affiliate SubCAs, Appendix B says the certificatePolicies
extension MUST be present and MUST have a policyIdentifier. 9.3.3 says
MAY include an identifier and MAY contain the anyPolicy identifier.
9.3.3 does not have any MUST statements for an affiliate SubCA.

For non-affiliate SubCAs, Appendix B says the certificatePolicies
extension MUST be present and MUST have a policyIdentifier AND the
policyQualifierId and cPSuri fields MAY be present.  9.3.3 says MUST
include an explicit policy identifier and MAY not contain the
anyPolicy identifier.

Is the intent that all Subordinate CAs MUST have at least one
policyIdentifier?  Or is the certificatePolicies extension optional
for affiliate SubCAs?

Google's CT log shows that the majority of CAs are including the
extension in SubCA certificates, but not all are.

Thanks,
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150315/d268cef1/attachment-0002.html>


More information about the Public mailing list