All, CSBR section 7.1.6.3 states: ”A Certificate issued to a Subordinate CA that issues Code Signing Certificates and is an Affiliate of the Issuing CA:
1. MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers> to indicate the Subordinate CA's compliance with these Requirements, and 2. MAY contain the "anyPolicy" identifier (2.5.29.32.0) in place of an explicit policy identifier. A Certificate issued after 31 March 2022 to a Subordinate CA that issues Timestamp Certificates and is an Affiliate of the Issuing CA: 1. MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers> to indicate the Subordinate CA’s compliance with these Requirements, and 2. MAY contain the “anyPolicy” identifier (2.5.29.32.0) in place of an explicit policy identifier.” I find there’s a few issues with this: * “MUST include the CA/Browser Forum reserved identifier specified in Section 7.1.6.1 <https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md#7161-reserved-certificate-policy-identifiers>”, seems to state there’s only one policy OID to use, while in fact there are 3 in the named section, 2 which are for code signing certificates. This is a minor issue though and could be fixed in a cleanup ballot. * More concerning I find the MUST and MAY language. If we take the language related to CA Certificates for Code Signing Certificates, what does this language actually state? Should this be interpreted as: * MUST include a CABF OID and MAY additionally contain the “anyPolicy” OID. or does it state: * MUST include either a CABF OID or the “anyPolicy” OID? I would like to think the intent here is to allow CA Certificates with just the “anyPolicy” OID, but at the same time, a MAY overriding a MUST, seems counterproductive. Any thoughts on this? Regards, Martijn
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Cscwg-public mailing list Cscwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/cscwg-public
