Clarity on Certificate Policy OIDs

[srdavidson]

Currently https://github.com/cabforum/smime/blob/main/SBR.md#7164-subscriber-certificates says

A Certificate issued to a Subscriber SHALL contain, within the Certificate's certificatePolicies extension, a policy identifier that is specified in Section 7.1.6.1.

The Certificate MAY also contain additional policy identifier(s) defined by the Issuing CA. The Issuing CA SHALL document in its CP and/or CPS that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Requirements.

This text was taken verbatim from the TLS BR as it existed at the time, where it was intended to allow "stacking" of policy identifiers in a cert or substitutions (of a CA OID for the CABF one). That text was later removed from the TLS BR which requires the TLS BR OID and is "default allow" on additionals.

It has been pointed out that the current text could be read to only allow additional OIDs that are defined by the CA, which could exclude OIDs defined by external parties like GRID or ETSI whose profiles can legitimately co-exist with the SMIME BR. The SBR was intended to allow this, so I propose the following amendment to the text.

A Certificate issued to a Subscriber SHALL contain, within the Certificate's certificatePolicies extension, a policy identifier that is specified in Section 7.1.6.1. The Certificate MAY also contain additional policy identifier(s) documented by the Issuing CA in its CP and/or CPS.

[srdavidson]

See draft update to SBR at https://github.com/srdavidson/smime/commit/9604680f9d8ae42f701ebb15c004b2f229cc8509