I have a question about section, 7.1.6.1. It says: This section describes the content requirements for the Root CA, Subordinate CA, and Subscriber Certificates, as they relate to the identification of Certificate Policy.
For Subscriber certificates I totally understand and agree with section 7.1.6.1, and specifically: If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName, . and If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName,. This means you can have one or the other, but never both in one certificate. But, if a Root and a subordinate MUST have an Organizational name, then there is no way it could ever have the DV policy OID (2.23.140.1.2.1) and comply with that requirement. The scope of this section should be for Subscriber Certificates only. Can we agree that was a bug? Section 7.1.6.3 goes on to say that a CA "MAY include the CA/Browser Forum reserved identifiers . to indicate the Subordinate CA's compliance with these Requirements " which further implies that CA certificates can contain CABF Policy identifiers (there are 6 defined CABF OIDs, https://cabforum.org/object-registry/) Doug
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy