Just adding my voice to the chorus - I'd strongly object to limiting EE certs to a single policy OID. One of the planned deployment models uses policy OIDs as applicability labels (OK for email; OK for transactions; Ok for intranet access; OK for online banking; etc.) These policy OIDs may well be standardized across multiple issuers/organizations. Thus, a given cert may well have multiple such OIDs present (loosely like having multiple card network logos on the back of your ATM/credit card) if approved for multiple purposes. This model also makes RP configuration much simpler. As to policy qualifiers, you can deprecate them everywhere as far as I'm concerned. Dave > -----Original Message----- > From: housley [mailto:housley@spyrus.com] > Sent: Tuesday, August 31, 1999 4:57 PM > To: ietf-pkix > Cc: housley > Subject: End-Entity Certificate Policies > > > Tim Polk and I got together today to discuss the changes > needed to address > the policy mapping bug (as discussed at the Oslo meeting). > As part of this > discussion, we discussed the certificate policy extension. > > We believe that a CA certificate may contain one or more > certificate policy > OID. On the other hand, we believe that an end-entity certificate > containing a certificate policy extension must contain a single > certificate policy OID. RFC 2459 says: > > The certificate policies extension contains a sequence of > one or more > policy information terms, each of which consists of an object > identifier (OID) and optional qualifiers. These policy > information > terms indicate the policy under which the certificate has > been issued > and the purposes for which the certificate may be used. Optional > qualifiers, which may be present, are not expected to change the > definition of the policy. > > We would like to add words to make it more clear that an end-entity > certificate may only contain a single certificate policy OID. The > explanation of this extension's purpose in a CA certificate > was not spelled > out, so we propose to fix that too. Our proposed text is: > > The certificate policies extension contains a sequence of > one or more > policy information terms, each of which consists of an object > identifier (OID) and optional qualifiers. In an > end-entity certificate, > these policy information terms indicate the single policy > under which > the certificate has been issued and the purposes for > which the certificate > may be used. In a CA certificate, these policy information terms > limit the set of policies for certification paths which > include this > certificate. Optional qualifiers, which may be present, are not > expected to change the definition of the policy. > > Does anyone disagree? > > Tim and I also discussed certificate policy qualifiers. Tim > and I agree > that certificate policy qualifiers should only appear in end-entity > certificates. That is, we agree that certificate policy > qualifier should > never appear in a CA certificate. Does anyone (besides Mike > Baum) disagree? > > Russ >
<<attachment: WINMAIL.DAT>>