Mr Brown is right.
inhibitAnyPolicy is different from inhibit*Every*Policy.
With the new code in its current state, I think that this extension is ignored.
There's another thread at mozilla.dev.tech.crypto group talking about it (not
that particular extension, but behavior of this new code), and due to poor
support for CertificatePolicies extension, FPKI users might be concerned.
Le mardi 29 avril 2014 01:52:12 UTC+2, Brown, Wendy (10421) a écrit :
> In looking at this Draft CA Communications, I looked at the description of
> Behavior change and #5 doesn't look like the change is the right
> interpretation:
>
> 5. If the inhibitAnyPolicy extension is present in an intermediate
> certificate or trust anchor and children certificates have a certificate
> policy extension the verification will fail. bug 989051
>
> According to RFC 5280:
>
> The inhibit anyPolicy extension can be used in certificates issued to CAs.
> The inhibit anyPolicy extension indicates that the special anyPolicy OID,
> with the value { 2 5 29 32 0 }, is not considered an explicit match for other
> certificate policies except when it appears in an intermediate self-issued CA
> certificate. The value indicates the number of additional non-self-issued
> certificates that may appear in the path before anyPolicy is no longer
> permitted. For example, a value of one indicates that anyPolicy may be
> processed in certificates issued by the subject of this certificate, but not
> in additional certificates in the path.
>
> The inhibitAnyPolicy extension does not mean that a certificate Policy
> extension can't be in the end entity certificate or any intermediate
> certificates in the chain, it means that the "anyPolicy OID" is not valid
> further down in the certificate path. It would be used when you want to
> ensure a specific certificate policy is in the path all the way to the
> end-entity certificate.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
