Re: certificate policies extension in RFC2459 and new-part1-04

[TAKIGUCHI Naruhito <takiguti@xxxxxxxxxxxxxxxxxxxx>]

David,

Thank you very much.
I misunderstood, and could understand clearly by your reply.

"David A. Cooper" wrote:
> At 06:36 PM 2/20/01 +0900, TAKIGUCHI Naruhito wrote:
> >It seems to me that there is an inconsistency between RFC2459 and 
> >new-part1-04 about processing the certificate policies extension.
> 
> Yes, this is true. Sometime in 1999, after RFC 2459 was completed, defects were discovered in the certificate policy processing semantics of X.509. As a result, a defect report was issued against X.509. The text that appears in new-part1-04 reflects the resolution to that defect report (similar changes were also made to X.509 to reflect the resolution to the defect report).
> 
> >In RFC2459, if the certificate policies extension is marked as non-critical, it is not processed. 
> >But in new-part1-04, the certificate policies extension is processed regardless of its critical flag.
> 
> This is not exactly true, but it was the case that previously the certificate policies extension was processed differently when it was critical from when it was non-critical. The rules now state that the extension is processed in the same way whether it is critical or non-critical.
> 
> >For example, consider there is a certificate path as shown below, 
> >and the acceptable policy set is (A). In RFC2459, this path's validation
> >processing will succeed. But in new-part1-04, this path's validation
> >processing will fail.
> 
> Not necessarily. If the require-explicit-policy flag is not set, then a certification path will never fail as a result of certificate policies. On the other hand, if the require-explicit-policy flag is set, then the path below would fail.
> 
> >     +------------------------+
> >     | root CA cert           |
> >     |                        |
> >     | critical policy(A)     |
> >     +------------------------+
> >                 |
> >     +------------------------+
> >     | end entity cert        |
> >     |                        |
> >     | non-critical policy(B) |
> >     +------------------------+
> >
> >And, new-part1-04 requires that certificate must have a certificate policies extension.
> >For example, a following certificate path will succeed in RFC2459, but will fail in new-part1-04.
> 
> Again, this is only true is the require-explicit-policy flag is set. However, under the rules in RFC 2459, a path would also fail if the require-explicit-policy flag were set and a subsequent certificate did not include the certificate policies extension.
> 
> >     +------------------------+
> >     | root CA cert           |
> >     |                        |
> >     | critical policy(A)     |
> >     +------------------------+
> >                 |
> >     +------------------------+
> >     | end entity cert        |
> >     |                        |
> >     |      (no policy)       |
> >     +------------------------+
> >
> >Thus, new-part1-04 doesn't have compatibility with a certificate which was issued based on RFC2459?
> >How do you think these compatibility between RFC2459 and new-part1-04?
> 
> While there may be some problems that occur if certificates are issued based on one set of semantics and processed under the other set of semantics, the problems are not as substantial as you seem to think.
> 
> The main point, however, is that the certificate policies semantics as described in RFC 2459 were found to be broken nearly 2 years ago and they needed to be fixed. The text in new-part1-04 reflects the fix that was agreed to in late 1999.
> 
> Dave
> 

-----
Takiguchi Naruhito
FUJITSU HOKURIKU SYSTEMS LTD.