Clarify Certificate Policies for Sub-CAs

[sleevi]

Ballot SC31 significantly improved the language up regarding Section 7.1.6.{2/3/4}, clarifying when the CA/B Forum Policy OID is required.

However, there exists some interesting intersections from that language that would benefit from further cleanup and clarification.

1. Because a reserved CA/B Forum OID is required for Subscriber certificates (effective 2020-09-30), this means that the options for a Subordinate CA Certificate is that it MUST either contain the anyPolicy identifier (only permitted if an Affiliate) or MUST contain the explicit policy identifier (if Affiliated or if not Affiliated)

   This could be harmonized by simply aligning the two requirements, by requiring both Affiliated and non-Affiliated sub-CAs MUST contain one or more explicit CABF OIDs. The current language reads ambiguously, in that the parenthetical also allows for non-reserved CABF OIDs to be present. For example, this may incorrectly lead CAs to believe that the policyMappings extension is appropriate to use here, which is intentionally not widely supported.

2. The current language in 7.1.6.3 regarding "issued to a Subordinate CA" leaves it ambiguous whether this is

   1. A requirement that applies from the moment the certificate is issued until it's expired or revoked (i.e. that you cannot transfer an Affiliated sub-CA to a non-Affiliated entity)
   2. A requirement that only applies at time of issuance (i.e. that you can create a certificate for yourself, with anyPolicy, and then later transfer that certificate and private key to a third-party)

   This tension is because the phrase "issued to" is ambiguous. One possible attempt to clarify this would be "operated by". However, such language would implicitly have retroactive effect, if CAs had performed such anyPolicy transfers.

[barrini]

To be reviewed by Aaron Gable