To add to Eric's response, the U.S. Federal PKI was built and is dependent on Policy OID validation. There are 25 OIDs registered with NIST that define different assurance levels and is heavily focused on people certificates although it is a broad use PKI for the U.S. Federal Government (USG). Devices were never a big use case until HTTPS went mainstream and agencies starting leveraging their existing PKI to issue Server Auth certificates. There was a growing divide between Federal PKI policy and CAB Forum / Browsers (specifiallly with the interpretation of RFC 5280 and Intermediate CA EKU use) that the Federal Government is now trying to correct with the new NPE CP development (https://github.com/uspki/policies).
The USG even set up a testing program (FIPS 201 Evaluation Program) to test PKI enabled applications and ensure they met Federal PKI requirements for policy OID validation which still exists today. It is mainly focused on non-mainstream products like physical access systems, SCVP, logical access appliances, and a couple other categories. NIST developed a PKI test suite (http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html) to test 5280, but it is kind of dated. The FIPS 201 program is updating and integrating the NIST test suite items. I'm not sure if it ever tested email, browsers, or other mainstream type programs and now cloud-based applications. That seems like a gap in ensuring policy validation worked in products and keeping the Federal PKI informed of new events in the web PKI. Adobe is the only mainstream application I know of or heard of that does policy validation for PKI vendor supplied policies. In relation to Symantec, the Federal Bridge was established as an interoperability hub using OID validation of strong to low assurance people credentials which were intermingled with device credentials (the focus primarily being on people). If you ask anyone in the Federal PKI they would say I only accept XX.XX OID and don't worry about other certificates. This is a potential issue for products that only do path validation though. That doesn't address any of the questions directed at Symantec and why the cross-cert wasn't disclosed. If browsers did policy validation would it have been a problem? I can't answer that. Here is an overview document of how the U.S. Federal PKI was designed and built (https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNRIAA4&field=File__Body__s) _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy