That would be a non-conformant implementation. Please read the standard - your answers are there.
X.509 clause 8.2.2.6 is the clause that defines the certificatePolicies extension. It begins
with "This field lists certificates policies, recognized by the ......". The path validation clauses
are consistent with this. I don't see how you could possibly interpret it any other way.
One very simple example of where this is useful is a situation where an enterprise has 2 certificate
policies differing only in their scope with respect to email. One policy OID indicates that certificates
issued under this policy can be used for internal enterprise email. Another policy OID indicates that
certificates issued under this policy can be used for external email. A user who is permitted to to do
external secure email as well as internal would have both OIDs in their cert. Any cross certs issued
to other enterprises with which secure email could be exchanged would contain ONLY the external email
OID. Internal users would be configured with acceptable policy sets that enable them to validate each
other's internal certificates for internal email. Users in other organizations would validate only the
certs that had the policy that was contained in the cross cert relevant to that enterprise (ie the external
OID).
There are existing environments where techniques such as this are in operational use today. Other environments
using policy for levels of assurance do a similar thing and a user whose cert is good for level 3 (but is also
good for levels 2 and 1) would contain all three OIDs. Different relying parties, depending on their own local
security policy, would be validating based on whatever policy is relevant. So, in this case, for example, a
relying party who required level 4 would fail validation for that cert but a relying party who required level
1 2 or 3 would pass.
Sharon
-----Original Message-----
From: Richard Levitte - VMS Whacker [mailto:levitte@xxxxx]
Sent: Thursday, December 12, 2002 6:14 AM
To: pgut001@xxxxxxxxxxxxxxxxx
Cc: dwfilli@xxxxxxxxxxxxxx; ietf-pkix@xxxxxxx
Subject: Re: Certificate policy question
In message <200212120156.gBC1uZb28698@xxxxxxxxxxxxxxxxxxxxxxxxxx> on Thu, 12 Dec 2002 14:56:35 +1300, pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann) said:
pgut001> Actually that probably provides the answer to the question: >
pgut001> 1 policy in an EE cert, where one policy isn't a
pgut001> subset/refinement/compatible version of the other [0],
pgut001> demonstrates that the issuer is sufficiently confused over
pgut001> policy issues that the cert should be regarded as following
pgut001> no policy at all :-).
So, out of curiosity, would you regard that cerificate as valid or
invalid (I hope to code better validation into OpenSSL, and handling
of policies is certainly a large part, so I'm interested as well :-))?
I'd opt for invalid unless someone can tell me I should regard as
valid and why. I'd even go one step further and regard an EE
certificate with more than policy as suspicious, at least.
pgut001> [0] Figuring out how to check for this is left as an
pgut001> exercise for the reader.
:-)
--
Richard Levitte | http://richard.levitte.org/ | Spannv. 38, I
Levitte Programming | http://www.lp.se/ | S-168 35 Bromma
T: +46-708-26 53 44 | | SWEDEN
"Price, performance, quality... choose the two you like"