rfc9618v2.txt   rfc9618.txt 
skipping to change at line 406 skipping to change at line 406
| |
| Nodes in the graph can be divided into depths, numbered | Nodes in the graph can be divided into depths, numbered
| starting from zero. A node at depth x can have zero or more | starting from zero. A node at depth x can have zero or more
| children at depth x+1 and, with the exception of depth zero, | children at depth x+1 and, with the exception of depth zero,
| one or more parents at depth x-1. No other edges between | one or more parents at depth x-1. No other edges between
| nodes may exist. | nodes may exist.
| |
| If the node is at depth x, the components of the node have | If the node is at depth x, the components of the node have
| the following semantics: | the following semantics:
| |
| (1) The valid_policy is a single policy OID representing a valid | (1) The valid_policy is a single policy OID representing a
| policy for the path of length x. | valid policy for the path of length x.
| |
| (2) The qualifier_set is a set of policy qualifiers associated | (2) The qualifier_set is a set of policy qualifiers
| with the valid policy in certificate x. It is only necessary | associated with the valid policy in certificate x. It
| to maintain this field if policy qualifiers are returned to | is only necessary to maintain this field if policy
| the application. See Section 6.1.5, step (g). | qualifiers are returned to the application. See
| Section 6.1.5, step (g).
| |
| (3) The expected_policy_set contains one or more policy OIDs that | (3) The expected_policy_set contains one or more policy OIDs
| would satisfy this policy in the certificate x+1. | that would satisfy this policy in the certificate x+1.
| |
| The initial value of the valid_policy_graph is a single node | The initial value of the valid_policy_graph is a single node
| with valid_policy anyPolicy, an empty qualifier_set, and an | with valid_policy anyPolicy, an empty qualifier_set, and an
| expected_policy_set with the single value anyPolicy. This | expected_policy_set with the single value anyPolicy. This
| node is considered to be at depth zero. | node is considered to be at depth zero.
| |
| The graph additionally satisfies the following invariants: | The graph additionally satisfies the following invariants:
| |
| * For any depth x and policy OID P-OID, there is at most one node | * For any depth x and policy OID P-OID, there is at most one
| at depth x whose valid_policy is P-OID. | node at depth x whose valid_policy is P-OID.
| |
| * The expected_policy_set of a node whose valid_policy is | * The expected_policy_set of a node whose valid_policy is
| anyPolicy is always {anyPolicy}. | anyPolicy is always {anyPolicy}.
| |
| * A node at depth x whose valid_policy is anyPolicy, except for | * A node at depth x whose valid_policy is anyPolicy, except
| the one at depth zero, always has exactly one parent: a node at | for the one at depth zero, always has exactly one parent:
| depth x-1 whose valid_policy is also anyPolicy. | a node at depth x-1 whose valid_policy is also anyPolicy.
| |
| * Each node at depth greater than 0 has either one or more parent | * Each node at depth greater than 0 has either one or more
| nodes whose valid_policy is not anyPolicy or a single parent | parent nodes whose valid_policy is not anyPolicy or a
| node whose valid_policy is anyPolicy. That is, a node cannot | single parent node whose valid_policy is anyPolicy. That
| simultaneously be a child of both anyPolicy and some non- | is, a node cannot simultaneously be a child of both
| anyPolicy OID. | anyPolicy and some non-anyPolicy OID.
| |
| Figure 3 is a graphic representation of the initial state of | Figure 3 is a graphic representation of the initial state of
| the valid_policy_graph. Additional figures will use this | the valid_policy_graph. Additional figures will use this
| format to describe changes in the valid_policy_graph during | format to describe changes in the valid_policy_graph during
| path processing. | path processing.
| |
| +----------------+ | +----------------+
| | anyPolicy | <---- valid_policy | | anyPolicy | <---- valid_policy
| +----------------+ | +----------------+
| | {} | <---- qualifier_set | | {} | <---- qualifier_set
skipping to change at line 466 skipping to change at line 467
5.3. Updates to Section 6.1.3 5.3. Updates to Section 6.1.3
The following replaces steps (d), (e), and (f) in Section 6.1.3 of The following replaces steps (d), (e), and (f) in Section 6.1.3 of
[RFC5280]: [RFC5280]:
| (d) If the certificate policies extension is present in the | (d) If the certificate policies extension is present in the
| certificate and the valid_policy_graph is not NULL, process | certificate and the valid_policy_graph is not NULL, process
| the policy information by performing the following steps in | the policy information by performing the following steps in
| order: | order:
| |
| (1) For each policy P not equal to anyPolicy in the certificate | (1) For each policy P not equal to anyPolicy in the
| policies extension, let P-OID denote the OID for policy P and | certificate policies extension, let P-OID denote the OID
| P-Q denote the qualifier set for policy P. Perform the | for policy P and P-Q denote the qualifier set for policy
| following steps in order: | P. Perform the following steps in order:
| |
| (i) Let parent_nodes be the nodes at depth i-1 in the | (i) Let parent_nodes be the nodes at depth i-1 in the
| valid_policy_graph where P-OID is in the | valid_policy_graph where P-OID is in the
| expected_policy_set. If parent_nodes is not empty, create a | expected_policy_set. If parent_nodes is not
| child node as follows: set the valid_policy to P-OID, set | empty, create a child node as follows: set the
| the qualifier_set to P-Q, set the expected_policy_set to | valid_policy to P-OID, set the qualifier_set to
| {P-OID}, and set the parent nodes to parent_nodes. | P-Q, set the expected_policy_set to {P-OID}, and
| set the parent nodes to parent_nodes.
| |
| For example, consider a valid_policy_graph with a node of | For example, consider a valid_policy_graph with a
| depth i-1 where the expected_policy_set is {Gold, White} and | node of depth i-1 where the expected_policy_set is
| a second node where the expected_policy_set is {Gold, | {Gold, White} and a second node where the
| Yellow}. Assume the certificate policies Gold and Silver | expected_policy_set is {Gold, Yellow}. Assume the
| appear in the certificate policies extension of certificate | certificate policies Gold and Silver appear in the
| i. The Gold policy is matched, but the Silver policy is | certificate policies extension of certificate i.
| not. This rule will generate a child node of depth i for | The Gold policy is matched, but the Silver policy
| the Gold policy. The result is shown as Figure 4. | is not. This rule will generate a child node of
| depth i for the Gold policy. The result is shown
| as Figure 4.
| |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | Red | | Blue | | | Red | | Blue |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | {} | | {} | depth i-1 | | {} | | {} | depth i-1
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | {Gold, White} | | {Gold, Yellow} | | | {Gold, White} | | {Gold, Yellow} |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| \ / | \ /
| \ / | \ /
| \ / | \ /
| v v | v v
| +-----------------+ | +-----------------+
| | Gold | | | Gold |
| +-----------------+ | +-----------------+
| | {} | depth i | | {} | depth i
| +-----------------+ | +-----------------+
| | {Gold} | | | {Gold} |
| +-----------------+ | +-----------------+
| |
| Figure 4: Processing an Exact Match | Figure 4: Processing an Exact Match
| |
| (ii) If there was no match in step (i) and the valid_policy_graph | (ii) If there was no match in step (i) and the
| includes a node of depth i-1 with the valid_policy | valid_policy_graph includes a node of depth i-1
| anyPolicy, generate a child node with the following values: | with the valid_policy anyPolicy, generate a child
| set the valid_policy to P-OID, set the qualifier_set to P-Q, | node with the following values: set the
| set the expected_policy_set to {P-OID}, and set the parent | valid_policy to P-OID, set the qualifier_set to
| node to the anyPolicy node at depth i-1. | P-Q, set the expected_policy_set to {P-OID}, and
| set the parent node to the anyPolicy node at depth
| i-1.
| |
| For example, consider a valid_policy_graph with a node of | For example, consider a valid_policy_graph with a
| depth i-1 where the valid_policy is anyPolicy. Assume the | node of depth i-1 where the valid_policy is
| certificate policies Gold and Silver appear in the | anyPolicy. Assume the certificate policies Gold
| certificate policies extension of certificate i. The Gold | and Silver appear in the certificate policies
| policy does not have a qualifier, but the Silver policy has | extension of certificate i. The Gold policy does
| the qualifier Q-Silver. If Gold and Silver were not matched | not have a qualifier, but the Silver policy has
| in (i) above, this rule will generate two child nodes of | the qualifier Q-Silver. If Gold and Silver were
| depth i, one for each policy. The result is shown as | not matched in (i) above, this rule will generate
| Figure 5. | two child nodes of depth i, one for each policy.
| The result is shown as Figure 5.
| |
| +-----------------+ | +-----------------+
| | anyPolicy | | | anyPolicy |
| +-----------------+ | +-----------------+
| | {} | | | {} |
| +-----------------+ depth i-1 | +-----------------+ depth i-1
| | {anyPolicy} | | | {anyPolicy} |
| +-----------------+ | +-----------------+
| / \ | / \
| / \ | / \
| / \ | / \
| v v | v v
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | Gold | | Silver | | | Gold | | Silver |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | {} | | {Q-Silver} | depth i | | {} | | {Q-Silver} | depth i
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | {Gold} | | {Silver} | | | {Gold} | | {Silver} |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| |
| Figure 5: Processing Unmatched Policies When a Leaf Node | Figure 5: Processing Unmatched Policies When a
| Specifies anyPolicy | Leaf Node Specifies anyPolicy
| |
| (2) If the certificate policies extension includes the policy | (2) If the certificate policies extension includes the
| anyPolicy with the qualifier set AP-Q and either (a) | policy anyPolicy with the qualifier set AP-Q and either
| inhibit_anyPolicy is greater than 0 or (b) i<n and the | (a) inhibit_anyPolicy is greater than 0 or (b) i<n and
| certificate is self-issued, then: | the certificate is self-issued, then:
| |
| For each policy OID P-OID (including anyPolicy) that appears | For each policy OID P-OID (including anyPolicy) that
| in the expected_policy_set of some node in the | appears in the expected_policy_set of some node in the
| valid_policy_graph for depth i-1, if P-OID does not appear as | valid_policy_graph for depth i-1, if P-OID does not
| the valid_policy of some node at depth i, create a single | appear as the valid_policy of some node at depth i,
| child node with the following values: set the valid_policy to | create a single child node with the following values:
| P-OID, set the qualifier_set to AP-Q, set the | set the valid_policy to P-OID, set the qualifier_set to
| expected_policy_set to {P-OID}, and set the parents to the | AP-Q, set the expected_policy_set to {P-OID}, and set
| nodes at depth i-1 where P-OID appears in | the parents to the nodes at depth i-1 where P-OID
| expected_policy_set. | appears in expected_policy_set.
| |
| This is equivalent to running step (1) above as if the | This is equivalent to running step (1) above as if the
| certificate policies extension contained a policy with OID | certificate policies extension contained a policy with
| P-OID and qualifier set AP-Q. | OID P-OID and qualifier set AP-Q.
| |
| For example, consider a valid_policy_graph with a node of | For example, consider a valid_policy_graph with a node
| depth i-1 where the expected_policy_set is {Gold, Silver} and | of depth i-1 where the expected_policy_set is {Gold,
| a second node of depth i-1 where the expected_policy_set is | Silver} and a second node of depth i-1 where the
| {Gold}. Assume anyPolicy appears in the certificate policies | expected_policy_set is {Gold}. Assume anyPolicy appears
| extension of certificate i with policy qualifiers AP-Q, but | in the certificate policies extension of certificate i
| Gold and Silver do not appear. This rule will generate two | with policy qualifiers AP-Q, but Gold and Silver do not
| child nodes of depth i, one for each policy. The result is | appear. This rule will generate two child nodes of
| shown below as Figure 6. | depth i, one for each policy. The result is shown below
| as Figure 6.
| |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | Red | | Blue | | | Red | | Blue |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | {} | | {} | depth i-1 | | {} | | {} | depth i-1
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | {Gold, Silver} | | {Gold} | | | {Gold, Silver} | | {Gold} |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | \ | | | \ |
| | \ | | | \ |
| | \ | | | \ |
| | \ | | | \ |
| | \ | | | \ |
| v v v | v v v
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | Silver | | Gold | | | Silver | | Gold |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | {AP-Q} | | {AP-Q} | depth i | | {AP-Q} | | {AP-Q} | depth i
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| | {Silver} | | {Gold} | | | {Silver} | | {Gold} |
| +-----------------+ +-----------------+ | +-----------------+ +-----------------+
| |
| Figure 6: Processing Unmatched Policies When the | Figure 6: Processing Unmatched Policies When the
| Certificate Policies Extension Specifies anyPolicy | Certificate Policies Extension Specifies anyPolicy
| |
| (3) If there is a node in the valid_policy_graph of depth i-1 or | (3) If there is a node in the valid_policy_graph of depth
| less without any child nodes, delete that node. Repeat this | i-1 or less without any child nodes, delete that node.
| step until there are no nodes of depth i-1 or less without | Repeat this step until there are no nodes of depth i-1
| children. | or less without children.
| |
| For example, consider the valid_policy_graph shown in | For example, consider the valid_policy_graph shown in
| Figure 7 below. The two nodes at depth i-1 that are marked | Figure 7 below. The two nodes at depth i-1 that are
| with an 'X' have no children, and they are deleted. Applying | marked with an 'X' have no children, and they are
| this rule to the resulting graph will cause the nodes at | deleted. Applying this rule to the resulting graph will
| depth i-2 that is marked with a 'Y' to be deleted. In the | cause the nodes at depth i-2 that is marked with a 'Y'
| resulting graph, there are no nodes of depth i-1 or less | to be deleted. In the resulting graph, there are no
| without children, and this step is complete. | nodes of depth i-1 or less without children, and this
| step is complete.
| |
| +-----------+ | +-----------+
| | | depth i-3 | | | depth i-3
| +-----------+ | +-----------+
| / | \ | / | \
| / | \ | / | \
| v v v | v v v
| +-----------+ +-----------+ +-----------+ | +-----------+ +-----------+ +-----------+
| | | | | | Y | depth i-2 | | | | | | Y | depth i-2
| +-----------+ +-----------+ +-----------+ | +-----------+ +-----------+ +-----------+
| | \ | | | | \ | |
| | \ | | | | \ | |
| v v v v | v v v v
| +-----------+ +-----------+ +-----------+ | +-----------+ +-----------+ +-----------+
| | X | | | | X | depth i-1 | | X | | | | X | depth i-1
| +-----------+ +-----------+ +-----------+ | +-----------+ +-----------+ +-----------+
| / | \ | / | \
| / | \ | / | \
| v v v | v v v
| +-----------+ +-----------+ +-----------+ | +-----------+ +-----------+ +-----------+
| | | | | | | depth i | | | | | | | depth i
| +-----------+ +-----------+ +-----------+ | +-----------+ +-----------+ +-----------+
| |
| Figure 7: Pruning the valid_policy_graph | Figure 7: Pruning the valid_policy_graph
| |
| (e) If the certificate policies extension is not present, set the | (e) If the certificate policies extension is not present, set the
| valid_policy_graph to NULL. | valid_policy_graph to NULL.
| |
| (f) Verify that either explicit_policy is greater than 0 or the | (f) Verify that either explicit_policy is greater than 0 or the
| valid_policy_graph is not equal to NULL. | valid_policy_graph is not equal to NULL.
The text following step (f) in Section 6.1.3 of [RFC5280], beginning The text following step (f) in Section 6.1.3 of [RFC5280], beginning
with "If any of steps (a), (b), (c), or (f) fails", is left with "If any of steps (a), (b), (c), or (f) fails", is left
unmodified. unmodified.
5.4. Updates to Section 6.1.4 5.4. Updates to Section 6.1.4
The following replaces step (b) in Section 6.1.4 of [RFC5280]: The following replaces step (b) in Section 6.1.4 of [RFC5280]:
| (b) If a policy mappings extension is present, then for each | (b) If a policy mappings extension is present, then for each
| issuerDomainPolicy ID-P in the policy mappings extension: | issuerDomainPolicy ID-P in the policy mappings extension:
| |
| (1) If the policy_mapping variable is greater than 0 and there is | (1) If the policy_mapping variable is greater than 0 and
| a node in the valid_policy_graph of depth i where ID-P is the | there is a node in the valid_policy_graph of depth i
| valid_policy, set expected_policy_set to the set of | where ID-P is the valid_policy, set expected_policy_set
| subjectDomainPolicy values that are specified as equivalent | to the set of subjectDomainPolicy values that are
| to ID-P by the policy mappings extension. | specified as equivalent to ID-P by the policy mappings
| extension.
| |
| (2) If the policy_mapping variable is greater than 0 and no node | (2) If the policy_mapping variable is greater than 0 and no
| of depth i in the valid_policy_graph has a valid_policy of | node of depth i in the valid_policy_graph has a
| ID-P but there is a node of depth i with a valid_policy of | valid_policy of ID-P but there is a node of depth i with
| anyPolicy, then generate a child node of the node of depth | a valid_policy of anyPolicy, then generate a child node
| i-1 that has a valid_policy of anyPolicy as follows: | of the node of depth i-1 that has a valid_policy of
| anyPolicy as follows:
| |
| (i) set the valid_policy to ID-P; | (i) set the valid_policy to ID-P;
| |
| (ii) set the qualifier_set to the qualifier set of the policy | (ii) set the qualifier_set to the qualifier set of the
| anyPolicy in the certificate policies extension of | policy anyPolicy in the certificate policies
| certificate i; and | extension of certificate i; and
| |
| (iii) set the expected_policy_set to the set of | (iii) set the expected_policy_set to the set of
| subjectDomainPolicy values that are specified as equivalent | subjectDomainPolicy values that are specified as
| to ID-P by the policy mappings extension. | equivalent to ID-P by the policy mappings
| extension.
| |
| (3) If the policy_mapping variable is equal to 0: | (3) If the policy_mapping variable is equal to 0:
| |
| (i) delete the node, if any, of depth i in the | (i) delete the node, if any, of depth i in the
| valid_policy_graph where ID-P is the valid_policy. | valid_policy_graph where ID-P is the valid_policy.
| |
| (ii) If there is a node in the valid_policy_graph of depth i-1 or | (ii) If there is a node in the valid_policy_graph of
| less without any child nodes, delete that node. Repeat this | depth i-1 or less without any child nodes, delete
| step until there are no nodes of depth i-1 or less without | that node. Repeat this step until there are no
| children. | nodes of depth i-1 or less without children.
5.5. Updates to Section 6.1.5 5.5. Updates to Section 6.1.5
The following replaces step (g) in Section 6.1.5 of [RFC5280]: The following replaces step (g) in Section 6.1.5 of [RFC5280]:
| (g) Calculate the user_constrained_policy_set as follows. The | (g) Calculate the user_constrained_policy_set as follows. The
| user_constrained_policy_set is a set of policy OIDs, along | user_constrained_policy_set is a set of policy OIDs, along
| with associated policy qualifiers. | with associated policy qualifiers.
| |
| (1) If the valid_policy_graph is NULL, set valid_policy_node_set | (1) If the valid_policy_graph is NULL, set
| to the empty set. | valid_policy_node_set to the empty set.
| |
| (2) If the valid_policy_graph is not NULL, set | (2) If the valid_policy_graph is not NULL, set
| valid_policy_node_set to the set of policy nodes whose | valid_policy_node_set to the set of policy nodes whose
| valid_policy is not anyPolicy and whose parent list is a | valid_policy is not anyPolicy and whose parent list is a
| single node with valid_policy of anyPolicy. | single node with valid_policy of anyPolicy.
| |
| (3) If the valid_policy_graph is not NULL and contains a node of | (3) If the valid_policy_graph is not NULL and contains a
| depth n with the valid_policy anyPolicy, add it to | node of depth n with the valid_policy anyPolicy, add it
| valid_policy_node_set. | to valid_policy_node_set.
| |
| (4) Compute authority_constrained_policy_set, a set of policy | (4) Compute authority_constrained_policy_set, a set of
| OIDs and associated qualifiers as follows. For each node in | policy OIDs and associated qualifiers as follows. For
| valid_policy_node_set: | each node in valid_policy_node_set:
| |
| (i) Add the node's valid_policy to | (i) Add the node's valid_policy to
| authority_constrained_policy_set. | authority_constrained_policy_set.
| |
| (ii) Collect all qualifiers in the node, its ancestors, and | (ii) Collect all qualifiers in the node, its ancestors,
| descendants and associate them with valid_policy. | and descendants and associate them with
| Applications that do not use policy qualifiers MAY skip this | valid_policy. Applications that do not use policy
| step to simplify processing. | qualifiers MAY skip this step to simplify
| processing.
| |
| (5) Set user_constrained_policy_set to | (5) Set user_constrained_policy_set to
| authority_constrained_policy_set. | authority_constrained_policy_set.
| |
| (6) If the user-initial-policy-set is not anyPolicy: | (6) If the user-initial-policy-set is not anyPolicy:
| |
| (i) Remove any elements of user_constrained_policy_set that do | (i) Remove any elements of user_constrained_policy_set
| not appear in user-initial-policy-set. | that do not appear in user-initial-policy-set.
| |
| (ii) If anyPolicy appears in authority_constrained_policy_set | (ii) If anyPolicy appears in
| with qualifiers AP-Q, for each OID P-OID in user-initial- | authority_constrained_policy_set with qualifiers
| policy-set that does not appear in | AP-Q, for each OID P-OID in user-initial-policy-
| user_constrained_policy_set, add P-OID with qualifiers AP-Q | set that does not appear in
| to user_constrained_policy_set. | user_constrained_policy_set, add P-OID with
| qualifiers AP-Q to user_constrained_policy_set.
In addition, the final paragraph in Section 6.1.5 of [RFC5280] is In addition, the final paragraph in Section 6.1.5 of [RFC5280] is
updated as follows: updated as follows:
OLD: OLD:
| If either (1) the value of explicit_policy variable is greater | If either (1) the value of explicit_policy variable is greater
| than zero or (2) the valid_policy_tree is not NULL, then path | than zero or (2) the valid_policy_tree is not NULL, then path
| processing has succeeded. | processing has succeeded.
 End of changes. 44 change blocks. 
223 lines changed or deleted 237 lines changed or added

This html diff was produced by rfcdiff 1.48.