[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate policy question

To: ietf-pkix@xxxxxxx
Subject: RE: Certificate policy question
From: "Fillingham, David W." <dwfilli@xxxxxxxxxxxxxx>
Date: Wed, 11 Dec 2002 14:03:28 -0500
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Hi Peter:

I don't believe that there is anything in any of the applicable standards
that would suggest a certificate can only comply with a single policy, or
only assert one policy.

X.509, Section 8.1.4 describes how to process certificate paths, including
those that may include multiple policies in the certificate policies
extension.
X.509 Section 8.2.2.6 goes on to describe the Certificate Policies
extension:

"This field lists certificate policies, recognized by the issuing CA, that
apply to the certificate, together with optional qualifier information
pertaining to these certificate policies. The list of certificate policies
is used in determining the validity of a certification path, as described in
clause 10."

Of course, the very name of the Certificate Policies extension implies that
more than one policy may be populated in the extension.

Similarly, RFC 3280 states:

"4.2.1.5 Certificate Policies 

The certificate policies extension contains a sequence of one or more policy
information terms..."

RFC 320 Section 6.1 describes how to process the certificate policies field
when validating certificate paths, including cases where multiple
certificate policies are asserted in end-entity and intermediate CA
certificates.

The real-world use of multiple certificate policy OIDs asserted in CA
certificates is pretty clear.  For example, in the US DoD PKI, we have
defined two different certificate policies:

CLASS 3
CLASS 4

Our policies are written so that certificates increase in assurance from
CLASS 3 to CLASS 4.  By asserting our CLASS 3 and CLASS 4 policy OIDs in our
CA certificates, our CAs can issue valid certificates with either of these
policy OIDs asserted.  For example, one end entity subscriber certificate
asserting a CLASS 3 policy can be issued with subscriber private key
protection provided by software, while another certificate issued from the
same CA may assert CLASS 4 because private key protection is provided in
hardware, and the CA conforms to all other CLASS 4 requirements.

A conceivable use of multiple policy OIDs in end-entity subscriber
certificates would be when a certificate conforms to policies associated
with two different communities.  For example, a certificate issued by a
local agency may conform to a broad Federal Certificate Policy, as well as a
more stringent local agency policy.  Asserting both policies in the
certificate allows the local agency to use the certificate policies
extension to set up some of its higher sensitivity relying party
applications to demand the locally generated certificates, while allowing
external Federal agencies to accept the agency's certificate on the basis of
the Federal policy being asserted.

I hope that application developers will adhere closely to what X.509 and RFC
3280 have to say about certificate policy processing.  If application
developers include more constraints on the certificate policies extension
than the standards call out, that creates real problems for those of us
trying to stand-up large PKIs in policy heterogeneous environments.

Best Regards,
Dave Fillingham

 -----Original Message-----
From: 	pgut001@xxxxxxxxxxxxxxxxx [mailto:pgut001@xxxxxxxxxxxxxxxxx] 
Sent:	Wednesday, December 11, 2002 12:19 AM
To:	ietf-pkix@xxxxxxx
Subject:	Certificate policy question


[Warning: This is one of those questions which is probably best answered in
          the Style Guide with a note saying "Don't do that"]

Someone just sent me yet another weird cert [0] which has two different, in
some places mutually exclusive, policies (that is, CPSes) in the
certificatePolicies.  I know the de facto standard handling for this is to
ignore the policy, but what's the official word on this?  Do you pick the
one
you like best and ignore the rest?  Use the LSB of the public key as an
index
to pick one?  Pop up a copy of Acrobat in a dialog box, ask the user to read
the 100-odd-page CPSes, and pick the one with the flashiest graphic on the
cover?

I'd like to at least do *something* in my code other than just ignoring it.

Peter.

[0] The cool thing about 2459/3280's complexity is that everyone gets their
    own mistake arc without ever having to duplicate anyone else's.  Maybe
we
    could formalise this with OIDs or something :-).

Prev by Date: Fwd: RFC 2527 Revision
Next by Date: OCSP deployment data?
Previous by thread: Re: Certificate policy question
Next by thread: RE: Certificate policy question
Index(es):
- Date
- Thread