[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cert chain validation

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: Cert chain validation
From: "Meggison, Tim" <tim.meggison@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Feb 2000 17:36:34 -0500

Suppose I have a certificate chain consisting of a Root, a CA and a User
certificate.

The policy extension in the Root certificate contains one oid of 1.2.4.
The policy extension in the CA certificate contains one oid of 1.2.4.
The policy extension in the User certificate contains one oid of 1.2.4.1.

Assuming all other data is valid, is this a valid certificate chain?

It appears to me that the algorithm defined in draft-ietf-pkix-new-part1-00
would determine that this certificate path is invalid.  And the way to
correct it would be to add a policy mapping to the CA certificate for the
oid 1.2.4.1.  

Is the policy mapping necessary  in a closed-community, if the Relying Party
trusts all certs issued with a policy oid of 1.2.4 and all certs issued with
a policy oid of 1.2.4.1?

Follow-Ups:
- Re: Cert chain validation
  - From: Russ Housley

Prev by Date: RE: Straw Poll: SerialNumber definition
Next by Date: RE: Timestamp: 05: LAST CALL - editorial corrections
Previous by thread: AC profile
Next by thread: Re: Cert chain validation
Index(es):
- Date
- Thread