[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate policy question

To: levitte@xxxxx, pgut001@xxxxxxxxxxxxxxxxx
Subject: Re: Certificate policy question
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Fri, 13 Dec 2002 20:21:00 +1300
Cc: dwfilli@xxxxxxxxxxxxxx, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Richard Levitte - VMS Whacker <levitte@xxxxx> writes:

>So, out of curiosity, would you regard that cerificate as valid or invalid (I
>hope to code better validation into OpenSSL, and handling of policies is
>certainly a large part, so I'm interested as well :-))? I'd opt for invalid
>unless someone can tell me I should regard as valid and why.  I'd even go one
>step further and regard an EE certificate with more than policy as suspicious,
>at least.

I regarded it as suspicious and checked the CPS, whereupon I regarded it as
*really* suspicious.  However from some of the other comments posted here, it
makes sense to regard the policies as a OR b OR c rather than a AND b AND c
(or UNION or INTERSECTION or something similar).  It'd be useful to have this
mentioned explicitly somewhere though, since reverse-engineering the effect of
the path-processing algorithm, and then trying to decide whether the effect
achieved when two incompatible policies are present is intentional or
coincidental, is rather tricky.

Peter.

Prev by Date: RE: Certificate policy question
Next by Date: Re: Certificate policy question
Previous by thread: RE: Certificate policy question
Next by thread: Re: Certificate policy question
Index(es):
- Date
- Thread