Hi Sven,
> In your example scenario the CA has the policy set too.
> I'm a bit unsure if this is necessary, because a RFC 5280 in section
> 4.2.1.4 (Certificate Policies) states:
>
> "When a CA does not wish to limit the set of policies for certification
> paths that include this certificate, it MAY assert the special policy
> anyPolicy, with a value of { 2 5 29 32 0 }."
>
> Does this "MAY" mean, that a root certificate without any policy does
> not limit the policy?
No, I think it simply means that instead of listing all the valid
policies the certificate MAY define anyPolicy instead. According to
section 6 the absence of a policy extension clears the allowed policies
for certificates under that certificate (6.1.3 (e) and also 6.1.2 (a)),
this doesn't reject the certificate, it just means the policies will be
ignored.
> Or SHOULD I set the special policy, iff I want
> no limitation?
Yes, I think so.
> How does strongswan evaluate this? Does it need the policy in the root
> certificate too and is this correct?
Yes, the constraints plugin checks that the policy in an end-entity
certificate is either contained explicitly in the CA certificates (or
mapped to a different OID via policy map), or that they specify the
anyPolicy OID. The complete trust chain is checked.
> What, if I do NOT own the CA but have a Sub-CA signed by an official CA?
>
> Can I use certification policies then?
Depends on the policy extension in that official CA certificate.
> Currently I have an user certificate with a specific policy and a
> Sub-CA with a "anyPolicy" set. But I cannot connect, if I enable the
> "rightcertpolicy" option...
Then the root CA probably has no policy extension and the policy will be
ignored and, therefore, can't be matched to the rightcertpolicy option.
Regards,
Tobias
