On Sat, Jan 13, 2024, at 04:20, David Benjamin wrote: >> Because it seems possible for a certificate to contain multiple >> mappings for the same OIDs, with different qualifiers for each mapping. I >> don't think that changes the outcome either, but it is a bit of a mind-bender, >> head-scratcher if you don't have a lot of time or context. > > One quick clarification, if I understand you correctly: policy > qualifiers in a certificate come from policies themselves rather than > the mappings. Mappings are just pairs of OIDs in subject and issuer > policy space. It's not possible for a node's qualifiers to change based > on mapping. If you believe that the policy OIDs between the old and new > algorithm match, that should translate straightforwardly to the policy > qualifiers. > > Does that resolve this, or was it something else? That helps, but not a lot ㄟ( ▔, ▔ )ㄏ. I think that the primary source of my misunderstanding was the intermixing of discussion about multiple certification paths and multiple paths through the tree. That a tree refers to a singular certification path was key. There is only a single set of qualifiers on the applicable policies. That there are mappings only potentially changes which policies receive the qualifiers. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
