Questions Regarding the Use of the id-ad-caIssuers Extension under the BR!
179 views
Skip to first unread message
Awel Dia
Apr 9, 2026, 10:42:55 AMApr 9
to dev-secur...@mozilla.org
Hello everyone,
I have a question regarding compliance of the id-ad-caIssuers extension (OID: 1.3.6.1.5.5.7.48.2) under the CA/Browser Forum Baseline Requirements (BR).
Per Section 7.1.2.10.3 of the BR, the requirement for id-ad-caIssuers is:
A HTTP URL of the Issuing CA's certificate.
In this regard, I have two questions for clarification:
1. If the id-ad-caIssuers extension in a subordinate CA certificate points to a cross certificate, would this violate the relevant provisions of the BR?
2. According to the definition of id-ad-caIssuers in RFC 5280 Section 4.2.2.1:
Where the information is available via HTTP or FTP, accessLocation MUST be a uniformResourceIdentifier and the URI MUST point to either a single DER encoded certificate as specified in [RFC2585] or a collection of certificates in a BER or DER encoded "certs-only" CMS message as specified in [RFC2797].
Accordingly, id-ad-caIssuers may point to either a single DER‑encoded certificate or a certs-only CMS certificate bundle (.p7c format).If the id-ad-caIssuers extension in a subordinate CA certificate points to a .p7c certificate bundle containing both cross certificates and root certificates, would this violate the relevant provisions of the BR?
Thanks!
Awel
I have a question regarding compliance of the id-ad-caIssuers extension (OID: 1.3.6.1.5.5.7.48.2) under the CA/Browser Forum Baseline Requirements (BR).
Per Section 7.1.2.10.3 of the BR, the requirement for id-ad-caIssuers is:
A HTTP URL of the Issuing CA's certificate.
In this regard, I have two questions for clarification:
1. If the id-ad-caIssuers extension in a subordinate CA certificate points to a cross certificate, would this violate the relevant provisions of the BR?
2. According to the definition of id-ad-caIssuers in RFC 5280 Section 4.2.2.1:
Where the information is available via HTTP or FTP, accessLocation MUST be a uniformResourceIdentifier and the URI MUST point to either a single DER encoded certificate as specified in [RFC2585] or a collection of certificates in a BER or DER encoded "certs-only" CMS message as specified in [RFC2797].
Accordingly, id-ad-caIssuers may point to either a single DER‑encoded certificate or a certs-only CMS certificate bundle (.p7c format).If the id-ad-caIssuers extension in a subordinate CA certificate points to a .p7c certificate bundle containing both cross certificates and root certificates, would this violate the relevant provisions of the BR?
Thanks!
Awel
Arabella Barks
Apr 10, 2026, 4:59:25 AMApr 10
to dev-secur...@mozilla.org, Awel Dia
Hi Awel,
BR do not impose any restrictions that the id-ad-caIssuers extension must point only to a self-signed certificate or a cross-signed certificate. Therefore, such usage should not be considered a violation of the BRs.
Feel free to correct if any errors in my understanding.
Thanks.
Arabella
Reply all
Reply to author
Forward
0 new messages