[cabfpub] Ballot 190

Rob Stradling rob.stradling at comodo.com
Tue May 2 15:34:11 UTC 2017

On 02/05/17 16:15, Ryan Sleevi wrote:
> Perhaps I explained it poorly, because that's what I was trying to
> describe :)

Great.  Maybe I had had enough coffee.  :-)

> That is, you would not, as part of the inputs to RFC 5280, validate that
> Leaf was ever valid for 2.23.140.x.y.z (the user-initial-policy-set from
> https://tools.ietf.org/html/rfc5280#section-6.1.1 ). But the absence of
> it from the Intermediate would not cause RFC 5280 validation to fail,
> assuming the anyPolicy was given in the user-initial-policy-set- it
> just won't have 2.23.140.x.y.z in the resultant valid_policy_tree (
> https://tools.ietf.org/html/rfc5280#section-6.1.6 )

If anyPolicy is not in the user-initial-policy-set, but the BR DV OID 
(for my first example) or the CA-specific EV OID (for my second example) 
is in the user-initial-policy-set, that would also suffice, right?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list