RE: Certificate policy question

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

Richard:

If the CA is asserting conflicting policies, do you trust it to operate
properly in other areas?

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Richard Levitte - VMS Whacker
Sent: Thursday, December 12, 2002 2:17 PM
To: ambarish@xxxxxxxxxxx
Cc: pgut001@xxxxxxxxxxxxxxxxx; dwfilli@xxxxxxxxxxxxxx; ietf-pkix@xxxxxxx
Subject: Re: Certificate policy question



In message <BFEMKEKPCAINGFNEOGMEOEFCCBAA.ambarish@xxxxxxxxxxx> on Thu,
12 Dec 2002 09:42:32 -0800, "Ambarish Malpani" <ambarish@xxxxxxxxxxx>
said:

ambarish>     You might want to regard the certificate as being 
ambarish> compatible with *both* the policies specified. If either of 
ambarish> the policies is acceptable for your needs (and you can create 
ambarish> a valid path), feel free to accept the certificate. That is 
ambarish> the best you can do as certificate processing software.
ambarish> 
ambarish> If the CA should not have issued a cert with both policies 
ambarish> (because they a incompatible, etc.), that is a problem you 
ambarish> should let the CA deal with.

As I understand Peter, the two policies weren't compatible.  So OK, the
way to deal with it would then be to speak with the CA in question, and
then set them up in my own software as untrusted, at least until they've
dealt with the situation and reissued the offending certificate.

After all, this is about trust, and I can't see how I can trust anything
from a CA that the kind of certificate I believe Peter is talking about.

Harsch?  Tough!

-- 
Richard Levitte     | http://richard.levitte.org/ | Spannv. 38, I
Levitte Programming | http://www.lp.se/           | S-168 35 Bromma
T: +46-708-26 53 44 |                             | SWEDEN
     "Price, performance, quality...  choose the two you like"