RE: Certificate policy question

[khaja.ahmed@xxxxxxxxx]

Peter,

Is is possible for you to disclose what these policies are that are 
contradictory or mutually exclusive?  It would also be useful to know what 
application these certs are meant to be used in.

Thanks.

Khaja
> That would be a non-conformant implementation. Please read the standard -
> your answers are there. 
> X.509 clause 8.2.2.6 is the clause that defines the certificatePolicies
> extension. It begins 
> with "This field lists certificates policies, recognized by the ......". The
> path validation clauses 
> are consistent with this. I don't see how you could possibly interpret it
> any other way. 
> 
> One very simple example of where this is useful is a situation where an
> enterprise has 2 certificate 
> policies differing only in their scope with respect to email. One policy OID
> indicates that certificates 
> issued under this policy can be used for internal enterprise email. Another
> policy OID indicates that 
> certificates issued under this policy can be used for external email. A user
> who is permitted to to do 
> external secure email as well as internal would have both OIDs in their
> cert. Any cross certs issued 
> to other enterprises with which secure email could be exchanged would
> contain ONLY the external email 
> OID. Internal users would be configured with acceptable policy sets that
> enable them to validate each 
> other's internal certificates for internal email. Users in other
> organizations would validate only the 
> certs that had the policy that was contained in the cross cert relevant to
> that enterprise (ie the external
> OID).
> 
> There are existing environments where techniques such as this are in
> operational use today. Other environments
> using policy for levels of assurance do a similar thing and a user whose
> cert is good for level 3 (but is also 
> good for levels 2 and 1) would contain all three OIDs. Different relying
> parties, depending on their own local 
> security policy, would be validating based on whatever policy is relevant.
> So, in this case, for example, a 
> relying party who required level 4 would fail validation for that cert but a
> relying party who required level 
> 1 2 or 3 would pass.
> 
> Sharon
> 
> -----Original Message-----
> From: Richard Levitte - VMS Whacker [mailto:levitte@xxxxx]
> Sent: Thursday, December 12, 2002 6:14 AM
> To: pgut001@xxxxxxxxxxxxxxxxx
> Cc: dwfilli@xxxxxxxxxxxxxx; ietf-pkix@xxxxxxx
> Subject: Re: Certificate policy question
> 
> 
> 
> In message <200212120156.gBC1uZb28698@xxxxxxxxxxxxxxxxxxxxxxxxxx> on Thu, 12
> Dec 2002 14:56:35 +1300, pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann) said:
> 
> pgut001> Actually that probably provides the answer to the question: >
> pgut001> 1 policy in an EE cert, where one policy isn't a
> pgut001> subset/refinement/compatible version of the other [0],
> pgut001> demonstrates that the issuer is sufficiently confused over
> pgut001> policy issues that the cert should be regarded as following
> pgut001> no policy at all :-).
> 
> So, out of curiosity, would you regard that cerificate as valid or
> invalid (I hope to code better validation into OpenSSL, and handling
> of policies is certainly a large part, so I'm interested as well :-))?
> I'd opt for invalid unless someone can tell me I should regard as
> valid and why.  I'd even go one step further and regard an EE
> certificate with more than policy as suspicious, at least.
> 
> pgut001> [0] Figuring out how to check for this is left as an
> pgut001> exercise for the reader.
> 
> :-)
> 
> -- 
> Richard Levitte     | http://richard.levitte.org/ | Spannv. 38, I
> Levitte Programming | http://www.lp.se/           | S-168 35 Bromma
> T: +46-708-26 53 44 |                             | SWEDEN
>      "Price, performance, quality...  choose the two you like"