[cabfpub] Ballot 190

Ryan Sleevi sleevi at google.com
Tue May 2 15:15:24 UTC 2017

On Tue, May 2, 2017 at 11:11 AM, Rob Stradling <rob.stradling at comodo.com>

> Ryan, please could you expand on precisely how and why it's technically
> 'incorrect' to do, for example, the following...
> Root (Certificate Policies: none, so effectively anyPolicy)
>   Intermediate (Certificate Policies: just the BR DV OID)
>     Leaf (Certificate Policies: the BR DV OID and 2.23.140.x.y.z)
> ...or even...
> Root (Certificate Policies: none, so effectively anyPolicy)
>   Intermediate (Certificate Policies: a CA-specific EV OID)
>     Leaf (Certificate Policies: the same EV OID and 2.23.140.x.y.z)
> ?
> In other words, under what RFC5280-conforming circumstances would the fact
> that 2.23.140.x.y.z doesn't appear in the Intermediate certificate actually
> make any difference to the outcome?
> My reading of 5280 section 6 this morning (fueled by insufficient coffee,
> I have to admit) was that: each of the policy OIDs in a cert are processed
> independently; it's sufficient to match _just one_ OID in the Leaf and
> Intermediate (in my examples above, that's the BR DV OID or the CA-specific
> EV OID); therefore, the non-matching of 2.23.140.x.y.z would never actually
> matter (as long as the BR DV OID, or the CA-specific EV OID, or anyPolicy,
> are in the set of permitted policies).

Perhaps I explained it poorly, because that's what I was trying to describe

That is, you would not, as part of the inputs to RFC 5280, validate that
Leaf was ever valid for 2.23.140.x.y.z (the user-initial-policy-set from
https://tools.ietf.org/html/rfc5280#section-6.1.1 ). But the absence of it
from the Intermediate would not cause RFC 5280 validation to fail, assuming
the anyPolicy was given in the user-initial-policy-set - it just won't have
2.23.140.x.y.z in the resultant valid_policy_tree (
https://tools.ietf.org/html/rfc5280#section-6.1.6 )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170502/247ddf9b/attachment-0003.html>

More information about the Public mailing list