On 02/05/17 16:40, Ryan Sleevi wrote:
<snip>
Correct. None of the implementations today by the member browsers
(except for the possibility of 360, which I've not examined) provide BR
DV OIDs in the user-initial-policy-set, but 'most' will, on encountering
a leaf asserting a CA-specific EV OID, will attempt to supply that
policy OID in the user-initial-policy-set.
In both cases, the presence of an (unrelated) OID will work.
My remarks about the 'incorrectness' of it were with respect to the fact
that, as structured and implemented (and without the intermediate
asserting anyPolicy, which arguably is a desirable property - that is,
to not require/encourage intermediates to assert anyPolicy), the leaf
would never validate with the 2.23.140.x.y.z OID in the
user-initial-policy-set.
It's 'effective', just 'crude', from an engineering perspective :)
And if, as today, the Leaf cert doesn't contain 2.23.140.x.y.z, then the
same is true: the leaf would never validate with the 2.23.140.x.y.z OID
in the user-initial-policy-set. Right? If so, I'm not really sure why
you think this approach would be "crude", tbh.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
