On 02/05/17 16:15, Ryan Sleevi wrote: <snip>
Perhaps I explained it poorly, because that's what I was trying to describe :)
Great. Maybe I had had enough coffee. :-)
That is, you would not, as part of the inputs to RFC 5280, validate that Leaf was ever valid for 2.23.140.x.y.z (the user-initial-policy-set from https://tools.ietf.org/html/rfc5280#section-6.1.1 ). But the absence of it from the Intermediate would not cause RFC 5280 validation to fail, assuming the anyPolicy was given in the user-initial-policy-set- it just won't have 2.23.140.x.y.z in the resultant valid_policy_tree ( https://tools.ietf.org/html/rfc5280#section-6.1.6 )
If anyPolicy is not in the user-initial-policy-set, but the BR DV OID (for my first example) or the CA-specific EV OID (for my second example) is in the user-initial-policy-set, that would also suffice, right?
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
