Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
7.1.6.1 Reserved Certificate Policy Identifiers
171 views
Skip to first unread message
Doug Beattie
May 14, 2020, 8:44:05 AM5/14/20
to mozilla-dev-s...@lists.mozilla.org
I have a question about section, 7.1.6.1. It says:
This section describes the content requirements for the Root CA, Subordinate
CA, and Subscriber Certificates, as they relate to the identification of
Certificate Policy.
For Subscriber certificates I totally understand and agree with section
7.1.6.1, and specifically:
If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it
MUST NOT include organizationName, .
and
If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it
MUST also include organizationName,.
This means you can have one or the other, but never both in one certificate.
But, if a Root and a subordinate MUST have an Organizational name, then
there is no way it could ever have the DV policy OID (2.23.140.1.2.1) and
comply with that requirement.
The scope of this section should be for Subscriber Certificates only. Can
we agree that was a bug?
Section 7.1.6.3 goes on to say that a CA "MAY include the CA/Browser Forum
reserved identifiers . to indicate the Subordinate CA's compliance with
these Requirements " which further implies that CA certificates can contain
CABF Policy identifiers (there are 6 defined CABF OIDs,
https://cabforum.org/object-registry/)
Doug
This section describes the content requirements for the Root CA, Subordinate
CA, and Subscriber Certificates, as they relate to the identification of
Certificate Policy.
For Subscriber certificates I totally understand and agree with section
7.1.6.1, and specifically:
If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it
MUST NOT include organizationName, .
and
If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it
MUST also include organizationName,.
This means you can have one or the other, but never both in one certificate.
But, if a Root and a subordinate MUST have an Organizational name, then
there is no way it could ever have the DV policy OID (2.23.140.1.2.1) and
comply with that requirement.
The scope of this section should be for Subscriber Certificates only. Can
we agree that was a bug?
Section 7.1.6.3 goes on to say that a CA "MAY include the CA/Browser Forum
reserved identifiers . to indicate the Subordinate CA's compliance with
these Requirements " which further implies that CA certificates can contain
CABF Policy identifiers (there are 6 defined CABF OIDs,
https://cabforum.org/object-registry/)
Doug
Ryan Sleevi
May 14, 2020, 8:57:31 AM5/14/20
to Doug Beattie, mozilla-dev-s...@lists.mozilla.org
Did you mean to ask this on the CABF list?
This is
https://github.com/cabforum/documents/issues/179 which I was going to try
to fix in
https://github.com/sleevi/cabforum-docs/pull/12 (aka “spring” cleanup that
is seeking endorsers)
The discussion thread is
https://cabforum.org/pipermail/validation/2020-May/001469.html
This is
https://github.com/cabforum/documents/issues/179 which I was going to try
to fix in
https://github.com/sleevi/cabforum-docs/pull/12 (aka “spring” cleanup that
is seeking endorsers)
The discussion thread is
https://cabforum.org/pipermail/validation/2020-May/001469.html
Doug Beattie
May 14, 2020, 9:07:47 AM5/14/20
to ry...@sleevi.com, mozilla-dev-s...@lists.mozilla.org
Yes, I should have asked this on the CABF list, and you answered my question with the links below. Thanks!
0 new messages