On 02/05/17 10:23, Gervase Markham via Public wrote:
On 02/05/17 10:18, Rob Stradling via Public wrote:
Or you could embed all of this into a single Certificate Policy OID.
(off-list)
Would that not be problematic if, as a previous message in the thread
noted, there wasn't an anyPolicy OID in the intermediate? Or am I
misunderstanding how this works?
Hi Gerv. I was about to reply "Oh yeah, you're right", but I thought
I'd first take another look at RFC5280 Section 6 (Certificate Path
Validation)...
I *think* each of the policy OIDs in a leaf cert are processed
independently. That is, as long as at least 1 of the OID(s) matches the
expected set, it's valid.
But please seek a second opinion on that. I'm far from confident that I
understand correctly. :-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
