I receieved a PDF signed with a valid certificate issued under the chain DoD Root CA 2 > DOD CA-27. The signing cert was a soft-cert with certificate policies 2.16.840.1.101.2.1.11.5 (medium assurance) and 2.16.840.1.101.2.1.11.18 (medium 2048 assurance). The signature failed to validate ("The selected certificate path has errors: Invalid policy constraint") and it looks like the root cause is that Reader XI ships with 3 certificate policies (2.16.840.1.101.2.1.11.4, 2.16.840.1.101.2.1.11.9, and 2.16.840.1.101.2.1.11.19) defined for DoD Root CA 2 that don't include either of the policies in the signing cert.
It's possible to modify the policies for DoD Root CA 2 so that the signing cert is accepted, but it's a pain to explain to users and doesn't promote confidence in the signature.
Is there a better way to resolve this problem?
Who sets the default certificate policies and why would they not match the actual DoD PKI issuance policies?