Hi Peter, My interpretation, which I limit to the text being discussed here, is that the policy OID requirement applies only to end-entity certificates, not CA certificates, and that the OIDs referenced are certificate policy OIDs, not SHA digest algorithm identifiers (e.g. not SHAx, 2.16.840.1.101.3.4.2.x), the latter of which belong elsewhere in the certificate and not in the certificatePolicies extension.
Sometimes, for non-CABF certificate types, a CA owner/operator will adopt its own Certificate Policy (or combined CP/CPS) and designate applicable certificate policy OIDs of its own based on the policies and practices used to issue the certificates. Also, other non-CABF organizations may adopt community-wide CP OIDs for a given community of interest. (A Certificate Policy is "a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements".) For an authoritative interpretation of the Microsoft Trusted Root Program requirements, I recommend that you contact [email protected] directly. Best regards, Ben On Wed, Feb 11, 2026 at 1:09 AM Peter Mate Erdosi <[email protected]> wrote: > Hello, > > I know that the focus is on the Mozilla requirements here, but I hope > somebody can answer my certificate related question. > > The question is that how to interpret this requirement: "3.1.15. CAs must > declare one of the following policy OIDs in its Certificate Policy > extension end-entity certificate:" if a CA does not want to issue any CAB > Forum related certificates (no TLS, S/MIME, Code Signing certificates are > in the scope). > > https://github.com/TrustedRootProgram/Program-Requirements/blob/main/Requirements.md > > I think, the only Policy OID is "Digest Algorithms SHA2" which can be used > from the list in this case. Does it mean that the compliant CA shall > include one of the following three OIDs into the certificatePolicies > extension of the CA and the EE certificates, or only the EE certificates > beyond to other (own) policy OIDs? > > 1. SHA-256: Corresponds to OID 2.16.840.1.101.3.4.2.1. > 2. SHA-384: Corresponds to OID 2.16.840.1.101.3.4.2.2. > 3. SHA-512: Corresponds to OID 2.16.840.1.101.3.4.2.3. > > Thank you in advance! > > Best Regards, > Peter > > PS: I have not found any information about this in the archive > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADuWVBUSj%2B1TXyJKNiEcD2SsHqqPC%3DjTrfEU9YfrBDTSaEVWvg%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADuWVBUSj%2B1TXyJKNiEcD2SsHqqPC%3DjTrfEU9YfrBDTSaEVWvg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaj%3DsgwG75ceUKvGWMzVWPQ9kz6-ZVj-Dm5G3yzp5_RRA%40mail.gmail.com.
