RE: End-Entity Certificate Policies

["Peter Williams" <peterw@xxxxxxxxxxxx>]

> Good idea, as far as I can see.  If policy qualifiers have a use, it's
> surely for EE certs.  Heaven forbid that every successive CA cert 
> in a path
> should cause a message to be displayed, or require a click acceptance.
 

The particular processing you suggest for handling qualifiers in
critical policy extensions w/qualifiers should
be distinguished from the mere existence of
a qualifier value, in critical or non-critical policy
extensions.

If you check a VeriSign public intermediate CA using
the Windows UI interface, for example, it *offers*
you a button, which you *may* click, to chase
down the https URL built into the qualifier
of a non-critical policy extension, and learn
today's details of what reliance means, and determine
the warranted financial protections offered today. 
There is no downside to this design. There are many
upsides for PKIs addressing trade
and commerce whose activates are backed
by reinsurance. Removing it serves no purpose. It
has zero relevance to the cited bug fix, and
seems to reflect Russ' personal preference
to remove qualifiers from the face of the earth.

His preference was not reasonable during
2459 design, and is still not reasonable.
No particular military of US Federal assurance domain 
is required to use or accept them, however. Those 
other domains that do, accrue many benefits.

As the internet PKI is a collection of autonomous
domains, who can evidently interoperate using
PKIX rules, the current working infrastructure 
should continue.