[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate policy question

To: dwfilli@xxxxxxxxxxxxxx, ietf-pkix@xxxxxxx, pgut001@xxxxxxxxxxxxxxxxx
Subject: RE: Certificate policy question
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Fri, 13 Dec 2002 14:16:39 +1300
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I wrote:

>Actually that probably provides the answer to the question: > 1 policy in an
>EE cert, where one policy isn't a subset/refinement/compatible version of the
>other [0], demonstrates that the issuer is sufficiently confused over policy
>issues that the cert should be regarded as following no policy at all :-).

Actually taking this a step further, what we really need is an idiotPolicy to
match anyPolicy:

  A CA that asserts two incompatible policies in EE certs, or has a CA cert
  with the basicConstraints CA flag set to FALSE, or keyUsage set to disallow
  the issuing of certificates, SHALL be assumed to be implicitly asserting the
  idiotPolicy.  Applications SHALL display certs from this CA as being issued
  under this policy.

Russ, could we get an OID for that? :-).

Peter.

Follow-Ups:
- RE: Certificate policy question
  - From: Russ Housley

Prev by Date: [no subject]
Next by Date: Re: Certificate policy question
Previous by thread: RE: Certificate policy question
Next by thread: RE: Certificate policy question
Index(es):
- Date
- Thread