[cabfpub] Ballot 190

Rob Stradling rob.stradling at comodo.com
Tue May 2 15:44:51 UTC 2017


On 02/05/17 16:40, Ryan Sleevi wrote:
<snip>
> Correct. None of the implementations today by the member browsers
> (except for the possibility of 360, which I've not examined) provide BR
> DV OIDs in the user-initial-policy-set, but 'most' will, on encountering
> a leaf asserting a CA-specific EV OID, will attempt to supply that
> policy OID in the user-initial-policy-set.
>
> In both cases, the presence of an (unrelated) OID will work.
>
> My remarks about the 'incorrectness' of it were with respect to the fact
> that, as structured and implemented (and without the intermediate
> asserting anyPolicy, which arguably is a desirable property - that is,
> to not require/encourage intermediates to assert anyPolicy), the leaf
> would never validate with the 2.23.140.x.y.z OID in the
> user-initial-policy-set.
>
> It's 'effective', just 'crude', from an engineering perspective :)

And if, as today, the Leaf cert doesn't contain 2.23.140.x.y.z, then the 
same is true: the leaf would never validate with the 2.23.140.x.y.z OID 
in the user-initial-policy-set.  Right?  If so, I'm not really sure why 
you think this approach would be "crude", tbh.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online




More information about the Public mailing list