[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
certificate policies extension in RFC2459 and new-part1-04
Hello.
I had sent a following mail to this list six months ago.
But I could not get any replies. So, I sent the same question again today.
It seems to me that there is an inconsistency between RFC2459 and
new-part1-04 about processing the certificate policies extension.
In RFC2459, if the certificate policies extension is marked as
non-critical, it is not processed.
But in new-part1-04, the certificate policies extension is
processed regardless of its critical flag.
For example, consider there is a certificate path as shown below,
and the acceptable policy set is (A). In RFC2459, this path's validation
processing will succeed. But in new-part1-04, this path's validation
processing will fail.
+------------------------+
| root CA cert |
| |
| critical policy(A) |
+------------------------+
|
+------------------------+
| end entity cert |
| |
| non-critical policy(B) |
+------------------------+
And, new-part1-04 requires that certificate must have a certificate
policies extension.
For example, a following certificate path will succeed in RFC2459,
but will fail in new-part1-04.
+------------------------+
| root CA cert |
| |
| critical policy(A) |
+------------------------+
|
+------------------------+
| end entity cert |
| |
| (no policy) |
+------------------------+
Thus, new-part1-04 doesn't have compatibility with a certificate
which was issued based on RFC2459?
How do you think these compatibility between RFC2459 and new-part1-04?
Do I misunderstand?
Could anyone advise me?
Thanks in advance.
-----
Takiguchi Naruhito
FUJITSU HOKURIKU SYSTEMS LTD.