<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([OID] [2.5.29.34]) [Certificate Extension] can be used in [certificates] issued to [Certificate Authorities|Certificate Authority].  

[{$pagename}] extension constrains path validation in two ways. [{$pagename}] can be used to prohibit policy mapping or require that each certificate in a path contain an acceptable policy identifier.

If the [inhibitPolicyMapping] field is present, the value indicates the number of additional certificates that may appear in the path before policy mapping is no longer permitted.
For example, a value of one indicates that policy mapping may be processed in certificates issued by the subject of this certificate, but not in additional certificates in the path.

If the [requireExplicitPolicy] field is present, the value of [requireExplicitPolicy] indicates the number of additional certificates that may appear in the path before an explicit policy is required for the entire path.  When an explicit policy is required, it is necessary for all certificates in the path to contain an acceptable policy identifier in the certificate policies extension.  An acceptable policy identifier is the identifier of a policy required by the user of the certification path or the identifier of a policy that has been declared equivalent through policy mapping.

Conforming applications [MUST] be able to process the [requireExplicitPolicy] field and [SHOULD] be able to process the [inhibitPolicyMapping] field.  Applications that support the inhibitPolicyMapping field MUST also implement support for the policyMappings extension.  If the policyConstraints extension is marked as critical and the inhibitPolicyMapping field is present, applications that do not implement support for the [inhibitPolicyMapping] field __[MUST] reject the certificate__.

Conforming [Certificate Authorities|Certificate Authority] [MUST NOT] issue certificates where policy constraints is an empty sequence.  That is, either the [inhibitPolicyMapping] field or the [requireExplicitPolicy] field [MUST] be present.  The behavior of clients that encounter an empty policy constraints field is not addressed in this profile.

Conforming [Certificate Authorities|Certificate Authority] __[MUST] mark this extension as critical.__

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>