Test cases 4.10.7 and 4.10.8

Subject: Test cases 4.10.7 and 4.10.8
From: "Carl Wallace" <cwallace@orionsec.com>
Date: Wed, 3 Dec 2003 09:43:38 -0500
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="us-ascii"
Importance: Normal


Test cases 4.10.7 and 4.10.8 test handling of policy mapping extensions
containing the anyPolicy OID.  Both tests are expected to fail.  The test
details are as follows:

4.10.7
	Root -> Inter (Policies=any; Policy mapping=any->1; ReqExpPol=0)->
EE (Policies=1)

4.10.8
	Root -> Inter (Policies=1; Policy mapping=1->any; ReqExpPol=0) -> EE
(Policies=any)

Absent the mapping, both paths are fine.  Thus, an implementation that
ignores the errant mapping will accept these paths.  Given that 3280 is
silent on what should happen when a policy mapping extension includes
anyPolicy, it's difficult to state what the expected result for these tests
should be.  The text from 3280 section 6.1.4 is as follows:

      (a)  If a policy mapping extension is present, verify that the
      special value anyPolicy does not appear as an issuerDomainPolicy
      or a subjectDomainPolicy.    

3280 needs some clarity in this area to indicate whether mappings that
include anyPolicy should be ignored or the associated certificate discarded.
I prefer the former.  Until 3280 is clarified, 4.10.7 and 4.10.8 should
probably be removed - or the expected result changed to success:-)

In any case, there could be a test that relies on application of the mapping
in order to succeed.  For example:

4.10.8-modified (expected result = fail)
	Root -> Inter (Policies=1; Policy mapping=1->any; ReqExpPol=0) -> EE
(Policies=2)

Carl

Follow-Ups:
- Re: Test cases 4.10.7 and 4.10.8
  - From: "David A. Cooper" <david.cooper@nist.gov>

Prev by Date: Questions
Next by Date: Re: Questions
Prev by thread: Re: PKITS test case 4.13.38 vs RFC 3280
Next by thread: Re: Test cases 4.10.7 and 4.10.8

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov