[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate policy question

To: pgut001@xxxxxxxxxxxxxxxxx
Subject: RE: Certificate policy question
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Mon, 16 Dec 2002 14:35:40 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Peter:

We only assign OIDs to things that are documented in RFCs (or documents
that are intended to be published as an RFC),  When you write the document
describing idiotPolicy, I'll assign the OID  ;-)

Russ

At 02:16 PM 12/13/2002 +1300, Peter Gutmann wrote:

I wrote:

>Actually that probably provides the answer to the question: > 1 policy in an >EE cert, where one policy isn't a subset/refinement/compatible version of the >other [0], demonstrates that the issuer is sufficiently confused over policy >issues that the cert should be regarded as following no policy at all :-).
Actually taking this a step further, what we really need is an idiotPolicy to
match anyPolicy:
A CA that asserts two incompatible policies in EE certs, or has a CA cert with the basicConstraints CA flag set to FALSE, or keyUsage set to disallow the issuing of certificates, SHALL be assumed to be implicitly asserting the idiotPolicy. Applications SHALL display certs from this CA as being issued under this policy.

Russ, could we get an OID for that? :-).

Peter.

References:
- RE: Certificate policy question
  - From: Peter Gutmann

Prev by Date: Re: Attribute Cert Policies Rationale
Next by Date: Logotype: communitylogoURI addition ?
Previous by thread: RE: Certificate policy question
Next by thread: Re: Certificate policy question
Index(es):
- Date
- Thread