cabforum / servercert

Repository for the CA/Browser Forum Server Certificate Chartered Working Group
https://cabforum.org/working-groups/scwg/
159 stars 104 forks source link

CA Certificate Certificate Policies use of Profile #538

Open XolphinMartijn opened 2 months ago

XolphinMartijn commented 2 months ago

Section 7.1.2.10.5 (CA Certificate Certificate Policies) states:

_This Profile RECOMMENDS that the first PolicyInformation value within the Certificate Policies extension contains the Reserved Certificate Policy Identifier (see 7.1.6.1)3. Regardless of the order of PolicyInformation values, the Certificate Policies extension MUST contain exactly one Reserved Certificate Policy Identifier._

It makes sense that this only applies to the "Policy Restricted" table. however the language uses "This Profile", where no direct profile is mentioned. If this language would be applicable for the entire section, then the "anyPolicy" cannot be used, as it is not a Reserved Certificate Policy Identifier.

Suggest we in a cleanup ballot clearly clarify it applies to the second table only

github-actions[bot] commented 2 months ago

This issue was created based on: