Please add this lint to verify that a TLS Subordinate CA certificate complies with §7.1.2.10.5 of the BRs (CA Certificate Policies).
In particular, this lint checks that Certificate Policies extension either contains the AnyPolicy OID alone (according to Table 69 in the BRs) or it contains at least one CABF Reserved Policy OID (according to Table 70).
Preliminarily, this lint checks that the CertificatePolicies extension is present, this being a requirement for all TLS Subordinate CAs as prescribed by various sections of Chapter 7 of the BRs. This could be considered a separate check and, as such, it could be moved to a separate lint, but I think it's simpler to leave it in here.
Please add this lint to verify that a TLS Subordinate CA certificate complies with §7.1.2.10.5 of the BRs (CA Certificate Policies).
In particular, this lint checks that Certificate Policies extension either contains the AnyPolicy OID alone (according to Table 69 in the BRs) or it contains at least one CABF Reserved Policy OID (according to Table 70).
Preliminarily, this lint checks that the CertificatePolicies extension is present, this being a requirement for all TLS Subordinate CAs as prescribed by various sections of Chapter 7 of the BRs. This could be considered a separate check and, as such, it could be moved to a separate lint, but I think it's simpler to leave it in here.
Examples of CA certificates failing this lint can be found at https://bugzilla.mozilla.org/show_bug.cgi?id=1921597