Carl,
I believe that RFC 3280's requirement
in this case beomes more clear if you read the end of section 6.1.4:
6.1.4 Preparation for Certificate i+1
To prepare for processing of certificate i+1, perform the following
steps for certificate i:
(a) If a policy mapping extension is present, verify that the
special value anyPolicy does not appear as an issuerDomainPolicy
or a subjectDomainPolicy.
If check (a), (k), (l), (n) or (o) fails, the procedure terminates,
returning a failure indication and an appropriate reason.
If (a), (k), (l), (n) and (o) have completed successfully, increment
i and perform the basic certificate processing specified in 6.1.3.
I do not think it would be a good idea to change this to state that the
bad policy mappings should just be ignored. Note that even when policy
mappings are inhibited, the mappings in the policyMappings extension must
still be processed by pruning out any branches in the valid policy tree in
which the expected policy is one of the policies specified in an
issuerDomainPolicy.
I hope that we will never
see real certificates that include policy mappings extensions that map to or
from anyPolicy. Any such certificates would, however, be seriously
flawed and I don't see that the benefits of accepting them outweigh the
risks.
Dave