Re: RFC 3280 : anyPolicy in the policy mapping extension

["Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>]

You are reading correctly.  The algorithm prohibits mapping from 
any-policy.  The text says that one should not map to any-policy either.

Russ


At 01:30 PM 10/29/2002 +0900, Takashi ITO wrote:

> Hello,
>
> I am studying certificate path validation in RFC 3280. And I have a
> question about the policy mapping.
>
> In clause 4.2.1.6, RFC 3280 says:
>
>     Policies SHOULD NOT be mapped either to or from the special value
>     anyPolicy (section 4.2.1.5).
>
> However, Certification Path Processing in clause 6.1.4 says:
>
>     (a)  If a policy mapping extension is present, verify that the
>     special value anyPolicy does not appear as an issuerDomainPolicy
>     or a subjectDomainPolicy.
>
> The above procedure seems to mean checking the prohibition of using
> anyPolicy in the policy mapping extension.
>
> So I think that anyPolicy in this extension described in clause 4.2.1.6
> should be prohibited, by replacing "SHOULD NOT" with "SHALL NOT" as the
> following:
>
>     Policies SHALL NOT be mapped either to or from the special value
>     anyPolicy (section 4.2.1.5).
>
> Is my understanding right?
>
> Thanks,
>
>
> Takashi ITO <takashim@xxxxxxxxxxxxxxxxxxx>
> Mitsubishi Electric Corporation