[cabfpub] Ballot 190
Rob Stradling
rob.stradling at comodo.com
Tue May 2 15:44:51 UTC 2017
On 02/05/17 16:40, Ryan Sleevi wrote:
<snip>
> Correct. None of the implementations today by the member browsers
> (except for the possibility of 360, which I've not examined) provide BR
> DV OIDs in the user-initial-policy-set, but 'most' will, on encountering
> a leaf asserting a CA-specific EV OID, will attempt to supply that
> policy OID in the user-initial-policy-set.
>
> In both cases, the presence of an (unrelated) OID will work.
>
> My remarks about the 'incorrectness' of it were with respect to the fact
> that, as structured and implemented (and without the intermediate
> asserting anyPolicy, which arguably is a desirable property - that is,
> to not require/encourage intermediates to assert anyPolicy), the leaf
> would never validate with the 2.23.140.x.y.z OID in the
> user-initial-policy-set.
>
> It's 'effective', just 'crude', from an engineering perspective :)
And if, as today, the Leaf cert doesn't contain 2.23.140.x.y.z, then the
same is true: the leaf would never validate with the 2.23.140.x.y.z OID
in the user-initial-policy-set. Right? If so, I'm not really sure why
you think this approach would be "crude", tbh.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list