RE: Certificate policy question

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

"Fillingham,  David W." <dwfilli@xxxxxxxxxxxxxx> writes:

>I don't believe that there is anything in any of the applicable standards
>that would suggest a certificate can only comply with a single policy, or
>only assert one policy.

I can't really see the point of having a policy extension (in an EE cert) if
you can have more than one, and they conflict.  It's like having a posted
speed limit of 60 and 70 and 100 kph in the same location, you may as well not
post anything because no-one knows what they need to comply with.  In other
words, having > 1 (incompatible) policy in an EE cert is of no value to
relying parties because they don't know what to rely on.

Actually that probably provides the answer to the question: > 1 policy in an
EE cert, where one policy isn't a subset/refinement/compatible version of the
other [0], demonstrates that the issuer is sufficiently confused over policy
issues that the cert should be regarded as following no policy at all :-).

>I hope that application developers will adhere closely to what X.509 and RFC
>3280 have to say about certificate policy processing.

s/hope/wish/
s/will/would/
d/about certificate policy processing/

Peter.

[0] Figuring out how to check for this is left as an exercise for the reader.