Make the CAB Forum Reserved Policy Identifier mandatory, and other policy OIDs optional

[defacto64]

I propose to require that "Subscriber Certificates MUST include a CA/Browser Forum Reserved Policy Identifier in the Certificate Policies extension", while allowing another CA-defined Policy OIDs as a "MAY".

In other words, I propose to modify the following language (§9.3.4) ....

A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the
CA, in the Certificate’s certificatePolicies extension that indicates adherence to and compliance with
these Requirements. CAs complying with these Requirements MAY also assert the reserved policy
OIDs in such Certificates.

... like this:

CAs complying with these Requirements MUST include the CA/Browser Forum Reserved Policy OID (see section 9.3.1) in the Subscriber Certificate’s certificatePolicies extension. CAs MAY also assert in such Certificates one or more policy identifier(s), defined by the CA, that indicates adherence to and compliance with these Requirements.

This would allow to quickly and automatically determine if any given Certificate under examination is supposed to comply with the CABF CS BRs.

[defacto64]

Any opinions on this?

[CBonnell]

This is already required by section 3.A (10) of Microsoft root policy.

It would be good for clarity to align the CSBRs with MSFT root policy in this regard.

[defacto64]

Agree.