[cabfpub] Ballot 190

Rob Stradling rob.stradling at comodo.com
Tue May 2 10:02:57 UTC 2017

On 02/05/17 10:23, Gervase Markham via Public wrote:
> On 02/05/17 10:18, Rob Stradling via Public wrote:
>> Or you could embed all of this into a single Certificate Policy OID.
> (off-list)
> Would that not be problematic if, as a previous message in the thread
> noted, there wasn't an anyPolicy OID in the intermediate? Or am I
> misunderstanding how this works?

Hi Gerv.  I was about to reply "Oh yeah, you're right", but I thought 
I'd first take another look at RFC5280 Section 6 (Certificate Path 

I *think* each of the policy OIDs in a leaf cert are processed 
independently.  That is, as long as at least 1 of the OID(s) matches the 
expected set, it's valid.

But please seek a second opinion on that.  I'm far from confident that I 
understand correctly.  :-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list