Question about a Microsoft Root Program reuqirement

[Peter Mate Erdosi]

Hello,

I know that the focus is on the Mozilla requirements here, but I hope somebody can answer my certificate related question.

The question is that how to interpret this requirement: "3.1.15. CAs must declare one of the following policy OIDs in its Certificate Policy extension end-entity certificate:" if a CA does not want to issue any CAB Forum related certificates (no TLS, S/MIME, Code Signing certificates are in the scope).

https://github.com/TrustedRootProgram/Program-Requirements/blob/main/Requirements.md

I think, the only Policy OID is "Digest Algorithms SHA2" which can be used from the list in this case. Does it mean that the compliant CA shall include one of the following three OIDs into the certificatePolicies extension of the CA and the EE certificates, or only the EE certificates beyond to other (own) policy OIDs?

1. SHA-256: Corresponds to OID 2.16.840.1.101.3.4.2.1.

2. SHA-384: Corresponds to OID 2.16.840.1.101.3.4.2.2.

3. SHA-512: Corresponds to OID 2.16.840.1.101.3.4.2.3.

Thank you in advance!

Best Regards,

Peter

PS: I have not found any information about this in the archive