Possible contradiction in section 7.1.2.2.6, "Cross-Certified Subordinate CA Certificate Certificate Policies"
21 views
Skip to first unread message
Jaime Hablutzel
Feb 10, 2026, 2:15:52 PM (2 days ago) Feb 10
to server...@groups.cabforum.org
In section 7.1.2.2.6, there is a paragraph that could be interpreted as applying to the entire section:
> This Profile RECOMMENDS that the first `PolicyInformation` value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see [7.1.6.1](#7161-reserved-certificate-policy-identifiers))[^first_policy_note]. Regardless of the order of `PolicyInformation` values, the Certificate Policies extension MUST include at least one Reserved Certificate Policy Identifier. If any Subscriber Certificates will chain up directly to the Certificate issued under this Certificate Profile, this Cross-Certified Subordinate CA Certificate MUST contain exactly one Reserved Certificate Policy Identifier.
Though, apparently, it only applies to the Policy Restricted table.
Not explicitly specifying that this paragraph applies only to that table, in my opinion, creates confusion, as it could be interpreted that it applies to the entire section 7.1.2.2.6 and that would create a contradiction between:
> Table: No Policy Restrictions (Affiliated CA)
> ...
> | `policyIdentifier` | MUST | When the Issuing CA wishes to express that there are no policy restrictions, and if the Subordinate CA is an Affiliate of the Issuing CA, then the Issuing CA MAY use the `anyPolicy` Policy Identifier, which MUST be the only `PolicyInformation` value. |
And:
> Regardless of the order of `PolicyInformation` values, the Certificate Policies extension MUST include at least one Reserved Certificate Policy Identifier.
Am I missing something obvious here?
> This Profile RECOMMENDS that the first `PolicyInformation` value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see [7.1.6.1](#7161-reserved-certificate-policy-identifiers))[^first_policy_note]. Regardless of the order of `PolicyInformation` values, the Certificate Policies extension MUST include at least one Reserved Certificate Policy Identifier. If any Subscriber Certificates will chain up directly to the Certificate issued under this Certificate Profile, this Cross-Certified Subordinate CA Certificate MUST contain exactly one Reserved Certificate Policy Identifier.
Though, apparently, it only applies to the Policy Restricted table.
Not explicitly specifying that this paragraph applies only to that table, in my opinion, creates confusion, as it could be interpreted that it applies to the entire section 7.1.2.2.6 and that would create a contradiction between:
> Table: No Policy Restrictions (Affiliated CA)
> ...
> | `policyIdentifier` | MUST | When the Issuing CA wishes to express that there are no policy restrictions, and if the Subordinate CA is an Affiliate of the Issuing CA, then the Issuing CA MAY use the `anyPolicy` Policy Identifier, which MUST be the only `PolicyInformation` value. |
And:
> Regardless of the order of `PolicyInformation` values, the Certificate Policies extension MUST include at least one Reserved Certificate Policy Identifier.
Am I missing something obvious here?
Reply all
Reply to author
Forward
0 new messages