[cabfpub] Ballot 190

Ryan Sleevi sleevi at google.com
Tue May 2 14:52:36 UTC 2017

Define valid?

Yes, it's totally fine to use the OID as a policy signifier in a way that
will not (negatively) impact validation, unless you attempt to positively
assert "Valid for this OID"

What I mean is that the leaf can use a number of OIDs to express the
policies upon which it was issued/validated. If the intermediate lacks
those OIDs, then you will not be able to validate (using RFC 5280) rules
for that specific policy OID (e.g. if you say "Tell me if this cert is
valid for this policy OID"), BUT that doesn't negatively impact policy
validation to have that OID (e.g. if you say "Tell me if this cert is

The subtlety here is whether or not it's conforming with the purpose of
policy OIDs, and whether or not we should overload that. There's an
argument that "Ah yes, we all know how to add policy OIDs" which makes it
quite appealing, but on the other hand, it creates the 'intentional
incorrectness' if the intermediate lacks these policy OIDs (as one would

I don't have _strong_ feelings about it, but was proposing a way that we
could do it "right" (new extension). If there are reasons within the
technical infrastructure that would make this difficult/impossible to do in
a timely fashion, certainly, the policy OID offers a solution, even if
'technically' incorrect.

On Tue, May 2, 2017 at 6:02 AM, Rob Stradling via Public <
public at cabforum.org> wrote:

> On 02/05/17 10:23, Gervase Markham via Public wrote:
>> On 02/05/17 10:18, Rob Stradling via Public wrote:
>>> Or you could embed all of this into a single Certificate Policy OID.
>> (off-list)
>> Would that not be problematic if, as a previous message in the thread
>> noted, there wasn't an anyPolicy OID in the intermediate? Or am I
>> misunderstanding how this works?
> Hi Gerv.  I was about to reply "Oh yeah, you're right", but I thought I'd
> first take another look at RFC5280 Section 6 (Certificate Path
> Validation)...
> I *think* each of the policy OIDs in a leaf cert are processed
> independently.  That is, as long as at least 1 of the OID(s) matches the
> expected set, it's valid.
> But please seek a second opinion on that.  I'm far from confident that I
> understand correctly.  :-)
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170502/320b9d19/attachment-0003.html>

More information about the Public mailing list