[cabf_validation] Profiles: cPSuri for Cross-certificates
Wayne Thayer
wthayer at gmail.com
Wed May 18 22:19:57 UTC 2022
While reviewing the draft certificate profiles ballot
<https://github.com/sleevi/cabforum-docs/pull/36>, I noticed that section
7.1.2.2.3 "Cross-Certified Subordinate CA Extensions" references section
7.1.2.10.5
<https://github.com/sleevi/cabforum-docs/blob/profiles/docs/BR.md#712105-certificate-policies>
for the certificatePolicies extension. This section states that the
id-qt-cps (cPSuri) policy qualifier must contain:
*"The HTTP or HTTPS URL for the Issuing CA's Certificate Policies,
Certification Practice Statement, Relying Party Agreement, or other pointer
to online policy information provided by the Issuing CA."*
This means that the CPS link in an externally operated cross-certificate
must (if present) point to the root CA's policies. I think that the cPSuri
should reference the policies under which the CA certificate is operated
rather than the policies of the issuing CA.
I asked Ryan about this and he correctly pointed out
<https://github.com/sleevi/cabforum-docs/pull/36#pullrequestreview-965169715>
that while the language is different, the same requirement exists in the
current version of the BRs.
This is a minor issue in the grand scheme of things, but I'd like to
suggest that we consider changing the requirement, or at least add some
additional language to call out the non-intuitive nature of the existing
requirement.
Thanks,
Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20220518/3f326f89/attachment.html>
More information about the Validation
mailing list