Hello everyone, I have a question regarding compliance of the id-ad-caIssuers extension (OID: 1.3.6.1.5.5.7.48.2) under the CA/Browser Forum Baseline Requirements (BR). Per Section 7.1.2.10.3 of the BR <https://github.com/cabforum/servercert/blob/main/docs/BR.md#712103-ca-certificate-authority-information-access>, the requirement for id-ad-caIssuers is: A HTTP URL of the Issuing CA's certificate.
In this regard, I have two questions for clarification: 1. If the id-ad-caIssuers extension in a subordinate CA certificate points to a cross certificate, would this violate the relevant provisions of the BR? 2. According to the definition of id-ad-caIssuers in RFC 5280 Section 4.2.2.1 <https://www.rfc-editor.org/rfc/inline-errata/rfc5280.html>: Where the information is available via HTTP or FTP, accessLocation MUST be a uniformResourceIdentifier and the URI MUST point to either a single DER encoded certificate as specified in [RFC2585] or a collection of certificates in a BER or DER encoded "certs-only" CMS message as specified in [RFC2797]. Accordingly, id-ad-caIssuers may point to either a single DER‑encoded certificate or a certs-only CMS certificate bundle (.p7c format).If the id-ad-caIssuers extension in a subordinate CA certificate points to a .p7c certificate bundle containing both cross certificates and root certificates, would this violate the relevant provisions of the BR? Thanks! Awel -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/01a80e59-d71c-40b7-92c9-7a7ad841e3e0n%40mozilla.org.
