Carl,
I believe that RFC 3280's requirement in this case beomes more clear if
you read the end of section 6.1.4:
6.1.4 Preparation for Certificate i+1
To prepare for processing of certificate i+1, perform the following
steps for certificate i:
(a) If a policy mapping extension is present, verify that the
special value anyPolicy does not appear as an issuerDomainPolicy
or a subjectDomainPolicy.
If check (a), (k), (l), (n) or (o) fails, the procedure terminates,
returning a failure indication and an appropriate reason.
If (a), (k), (l), (n) and (o) have completed successfully, increment
i and perform the basic certificate processing specified in 6.1.3.
I do not think it would be a good idea to change this to state that the
bad policy mappings should just be ignored. Note that even when policy
mappings are inhibited, the mappings in the policyMappings extension
must still be processed by pruning out any branches in the valid policy
tree in which the expected policy is one of the policies specified in
an issuerDomainPolicy.
I hope that we will never see real certificates that include policy
mappings extensions that map to or from anyPolicy. Any such
certificates would, however, be seriously flawed and I don't see that
the benefits of accepting them outweigh the risks.
Dave
Carl Wallace wrote:
Test cases 4.10.7 and 4.10.8 test handling of policy mapping extensions
containing the anyPolicy OID. Both tests are expected to fail. The test
details are as follows:
4.10.7
Root -> Inter (Policies=any; Policy mapping=any->1; ReqExpPol=0)->
EE (Policies=1)
4.10.8
Root -> Inter (Policies=1; Policy mapping=1->any; ReqExpPol=0) -> EE
(Policies=any)
Absent the mapping, both paths are fine. Thus, an implementation that
ignores the errant mapping will accept these paths. Given that 3280 is
silent on what should happen when a policy mapping extension includes
anyPolicy, it's difficult to state what the expected result for these tests
should be. The text from 3280 section 6.1.4 is as follows:
(a) If a policy mapping extension is present, verify that the
special value anyPolicy does not appear as an issuerDomainPolicy
or a subjectDomainPolicy.
3280 needs some clarity in this area to indicate whether mappings that
include anyPolicy should be ignored or the associated certificate discarded.
I prefer the former. Until 3280 is clarified, 4.10.7 and 4.10.8 should
probably be removed - or the expected result changed to success:-)
In any case, there could be a test that relies on application of the mapping
in order to succeed. For example:
4.10.8-modified (expected result = fail)
Root -> Inter (Policies=1; Policy mapping=1->any; ReqExpPol=0) -> EE
(Policies=2)
Carl
|