[cabfpub] Ballot 190

Rob Stradling rob.stradling at comodo.com
Tue May 2 15:11:22 UTC 2017

Ryan, please could you expand on precisely how and why it's technically 
'incorrect' to do, for example, the following...

Root (Certificate Policies: none, so effectively anyPolicy)
   Intermediate (Certificate Policies: just the BR DV OID)
     Leaf (Certificate Policies: the BR DV OID and 2.23.140.x.y.z)

...or even...

Root (Certificate Policies: none, so effectively anyPolicy)
   Intermediate (Certificate Policies: a CA-specific EV OID)
     Leaf (Certificate Policies: the same EV OID and 2.23.140.x.y.z)


In other words, under what RFC5280-conforming circumstances would the 
fact that 2.23.140.x.y.z doesn't appear in the Intermediate certificate 
actually make any difference to the outcome?

My reading of 5280 section 6 this morning (fueled by insufficient 
coffee, I have to admit) was that: each of the policy OIDs in a cert are 
processed independently; it's sufficient to match _just one_ OID in the 
Leaf and Intermediate (in my examples above, that's the BR DV OID or the 
CA-specific EV OID); therefore, the non-matching of 2.23.140.x.y.z would 
never actually matter (as long as the BR DV OID, or the CA-specific EV 
OID, or anyPolicy, are in the set of permitted policies).

On 02/05/17 15:52, Ryan Sleevi wrote:
> Define valid?
> Yes, it's totally fine to use the OID as a policy signifier in a way
> that will not (negatively) impact validation, unless you attempt to
> positively assert "Valid for this OID"
> What I mean is that the leaf can use a number of OIDs to express the
> policies upon which it was issued/validated. If the intermediate lacks
> those OIDs, then you will not be able to validate (using RFC 5280) rules
> for that specific policy OID (e.g. if you say "Tell me if this cert is
> valid for this policy OID"), BUT that doesn't negatively impact policy
> validation to have that OID (e.g. if you say "Tell me if this cert is
> valid")
> The subtlety here is whether or not it's conforming with the purpose of
> policy OIDs, and whether or not we should overload that. There's an
> argument that "Ah yes, we all know how to add policy OIDs" which makes
> it quite appealing, but on the other hand, it creates the 'intentional
> incorrectness' if the intermediate lacks these policy OIDs (as one would
> presume).
> I don't have _strong_ feelings about it, but was proposing a way that we
> could do it "right" (new extension). If there are reasons within the
> technical infrastructure that would make this difficult/impossible to do
> in a timely fashion, certainly, the policy OID offers a solution, even
> if 'technically' incorrect.
> On Tue, May 2, 2017 at 6:02 AM, Rob Stradling via Public
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>     On 02/05/17 10:23, Gervase Markham via Public wrote:
>         On 02/05/17 10:18, Rob Stradling via Public wrote:
>             Or you could embed all of this into a single Certificate
>             Policy OID.
>         (off-list)
>         Would that not be problematic if, as a previous message in the
>         thread
>         noted, there wasn't an anyPolicy OID in the intermediate? Or am I
>         misunderstanding how this works?
>     Hi Gerv.  I was about to reply "Oh yeah, you're right", but I
>     thought I'd first take another look at RFC5280 Section 6
>     (Certificate Path Validation)...
>     I *think* each of the policy OIDs in a leaf cert are processed
>     independently.  That is, as long as at least 1 of the OID(s) matches
>     the expected set, it's valid.
>     But please seek a second opinion on that.  I'm far from confident
>     that I understand correctly.  :-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list