Questions Regarding the Use of the id-ad-caIssuers Extension under the BR!
42 views
Skip to first unread message
Awel Dia
Apr 9, 2026, 10:42:55 AM (14 hours ago) Apr 9
to dev-secur...@mozilla.org
Hello everyone,
I have a question regarding compliance of the id-ad-caIssuers extension (OID: 1.3.6.1.5.5.7.48.2) under the CA/Browser Forum Baseline Requirements (BR).
Per Section 7.1.2.10.3 of the BR, the requirement for id-ad-caIssuers is:
A HTTP URL of the Issuing CA's certificate.
In this regard, I have two questions for clarification:
1. If the id-ad-caIssuers extension in a subordinate CA certificate points to a cross certificate, would this violate the relevant provisions of the BR?
2. According to the definition of id-ad-caIssuers in RFC 5280 Section 4.2.2.1:
Where the information is available via HTTP or FTP, accessLocation MUST be a uniformResourceIdentifier and the URI MUST point to either a single DER encoded certificate as specified in [RFC2585] or a collection of certificates in a BER or DER encoded "certs-only" CMS message as specified in [RFC2797].
Accordingly, id-ad-caIssuers may point to either a single DER‑encoded certificate or a certs-only CMS certificate bundle (.p7c format).If the id-ad-caIssuers extension in a subordinate CA certificate points to a .p7c certificate bundle containing both cross certificates and root certificates, would this violate the relevant provisions of the BR?
Thanks!
Awel
I have a question regarding compliance of the id-ad-caIssuers extension (OID: 1.3.6.1.5.5.7.48.2) under the CA/Browser Forum Baseline Requirements (BR).
Per Section 7.1.2.10.3 of the BR, the requirement for id-ad-caIssuers is:
A HTTP URL of the Issuing CA's certificate.
In this regard, I have two questions for clarification:
1. If the id-ad-caIssuers extension in a subordinate CA certificate points to a cross certificate, would this violate the relevant provisions of the BR?
2. According to the definition of id-ad-caIssuers in RFC 5280 Section 4.2.2.1:
Where the information is available via HTTP or FTP, accessLocation MUST be a uniformResourceIdentifier and the URI MUST point to either a single DER encoded certificate as specified in [RFC2585] or a collection of certificates in a BER or DER encoded "certs-only" CMS message as specified in [RFC2797].
Accordingly, id-ad-caIssuers may point to either a single DER‑encoded certificate or a certs-only CMS certificate bundle (.p7c format).If the id-ad-caIssuers extension in a subordinate CA certificate points to a .p7c certificate bundle containing both cross certificates and root certificates, would this violate the relevant provisions of the BR?
Thanks!
Awel
Reply all
Reply to author
Forward
0 new messages