Question about a Microsoft Root Program reuqirement

135 views

Skip to first unread message

Peter Mate Erdosi

unread,

Feb 11, 2026, 3:09:56 AM (3 days ago) Feb 11

to dev-secur...@mozilla.org

Hello,

I know that the focus is on the Mozilla requirements here, but I hope somebody can answer my certificate related question.

The question is that how to interpret this requirement: "3.1.15. CAs must declare one of the following policy OIDs in its Certificate Policy extension end-entity certificate:" if a CA does not want to issue any CAB Forum related certificates (no TLS, S/MIME, Code Signing certificates are in the scope).

https://github.com/TrustedRootProgram/Program-Requirements/blob/main/Requirements.md

I think, the only Policy OID is "Digest Algorithms SHA2" which can be used from the list in this case. Does it mean that the compliant CA shall include one of the following three OIDs into the certificatePolicies extension of the CA and the EE certificates, or only the EE certificates beyond to other (own) policy OIDs?

1. SHA-256: Corresponds to OID 2.16.840.1.101.3.4.2.1.

2. SHA-384: Corresponds to OID 2.16.840.1.101.3.4.2.2.

3. SHA-512: Corresponds to OID 2.16.840.1.101.3.4.2.3.

Thank you in advance!

Best Regards,

Peter

PS: I have not found any information about this in the archive

Ben Wilson

unread,

Feb 12, 2026, 2:03:42 PM (yesterday) Feb 12

to Peter Mate Erdosi, dev-secur...@mozilla.org

Hi Peter,

My interpretation, which I limit to the text being discussed here, is that the policy OID requirement applies only to end-entity certificates, not CA certificates, and that the OIDs referenced are certificate policy OIDs, not SHA digest algorithm identifiers (e.g. not SHAx, 2.16.840.1.101.3.4.2.x), the latter of which belong elsewhere in the certificate and not in the certificatePolicies extension.

Sometimes, for non-CABF certificate types, a CA owner/operator will adopt its own Certificate Policy (or combined CP/CPS) and designate applicable certificate policy OIDs of its own based on the policies and practices used to issue the certificates. Also, other non-CABF organizations may adopt community-wide CP OIDs for a given community of interest. (A Certificate Policy is "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements".)

For an authoritative interpretation of the Microsoft Trusted Root Program requirements, I recommend that you contact msr...@microsoft.com directly.

Best regards,

Ben

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADuWVBUSj%2B1TXyJKNiEcD2SsHqqPC%3DjTrfEU9YfrBDTSaEVWvg%40mail.gmail.com.

Reply all

Reply to author

Forward

0 new messages