To add to Eric's response, the U.S. Federal PKI was built and is dependent on 
Policy OID validation. There are 25 OIDs registered with NIST that define 
different assurance levels and is heavily focused on people certificates 
although it is a broad use PKI for the U.S. Federal Government (USG). Devices 
were never a big use case until HTTPS went mainstream and agencies starting 
leveraging their existing PKI to issue Server Auth certificates. There was a 
growing divide between Federal PKI policy and CAB Forum / Browsers 
(specifiallly with the interpretation of RFC 5280 and Intermediate CA EKU use) 
that the Federal Government is now trying to correct with the new NPE CP 
development ( 

The USG even set up a testing program (FIPS 201 Evaluation Program) to test PKI 
enabled applications and ensure they met Federal PKI requirements for policy 
OID validation which still exists today. It is mainly focused on non-mainstream 
products like physical access systems, SCVP, logical access appliances, and a 
couple other categories. NIST developed a PKI test suite 
( to test 
5280, but it is kind of dated. The FIPS 201 program is updating and integrating 
the NIST test suite items. I'm not sure if it ever tested email, browsers, or 
other mainstream type programs and now cloud-based applications. That seems 
like a gap in ensuring policy validation worked in products and keeping the 
Federal PKI informed of new events in the web PKI. Adobe is the only mainstream 
application I know of or heard of that does policy validation for PKI vendor 
supplied policies.

In relation to Symantec, the Federal Bridge was established as an 
interoperability hub using OID validation of strong to low assurance people 
credentials which were intermingled with device credentials (the focus 
primarily being on people). If you ask anyone in the Federal PKI they would say 
I only accept XX.XX OID and don't worry about other certificates. This is a 
potential issue for products that only do path validation though. That doesn't 
address any of the questions directed at Symantec and why the cross-cert wasn't 
disclosed. If browsers did policy validation would it have been a problem? I 
can't answer that.

Here is an overview document of how the U.S. Federal PKI was designed and built 
dev-security-policy mailing list

Reply via email to