constraints: Don't reject certificates with invalid certificate policies
authorMartin Willi <martin@revosec.ch>
Fri, 10 Oct 2014 14:33:56 +0000 (16:33 +0200)
committerMartin Willi <martin@revosec.ch>
Thu, 30 Oct 2014 10:32:19 +0000 (11:32 +0100)
Instead of rejecting the certificate completely if a certificate has a policy
OID that is actually not allowed by the issuer CA, we accept it. However, the
certificate policy itself is still considered invalid, and is not returned
in the auth config resulting from trust chain operations.

A user must make sure to rely on the returned auth config certificate policies
instead of the policies contained in the certificate; even if the certificate
is valid, the policy OID itself in the certificate are not to be trusted
anymore.


No differences found