This repository was archived by the owner on Aug 27, 2019. It is now read-only.
This repository was archived by the owner on Aug 27, 2019. It is now read-only.
Why don't x.509 policy constraints prevent this site from validating? #1
Description
The above host uses a FPKI TOCA-issued certificate, with an installed 7-certificate chain (including the EE cert) that proceeds up to Identrust's DST ACES CA X6 root.
This root cross-signed the Federal Common Policy CA, as discussed on Bugzilla, and Identrust has said they will revoke the cross-signature by February 19th.
However, I believe the Federal Common Policy CA in this chain has an x.509 Policy Constraints extension of inhibitPolicyMapping (skipCerts=1).
If the inhibitPolicyMapping field is present, the value indicates the
number of additional certificates that may appear in the path before
policy mapping is no longer permitted. For example, a value of one
indicates that policy mapping may be processed in certificates issued
by the subject of this certificate, but not in additional
certificates in the path.
I've validated that libcurl, Chrome, and Firefox all successfully validate the chain at https://test3.fpki.18f.gov as chaining to a trusted root. Should this be the case?