A validation engine has two possible actions to take with respect to
an extension:
i)
it can ignore the extension and accept the certificate (all other things
being equal);
ii) it
can process the extension and accept or reject the certificate depending on the
content of the extension and the conditions under which processing is occuring
(e.g. the current values of the path processing
variables).
Some
extensions can only be marked critical. In these cases a validation engine that
understands the extension, processes it and acceptance/rejection of the
certificate is dependent (at least in part) on the content of the extension. A
validation engine that does not understand the extension rejects the
certificate.
Some extensions can only be marked non-critical. In
these cases a validation engine that understands the extension processes it and
acceptance/rejection of the certificate is dependent (at least in part) on the
content of the extension. A validation engine that does not understand the
extension accepts the certificate (unless factors other than this extension
cause it to be rejected).
Some extensions can be marked critical or non-critical. In these cases a validation engine that understands the extension processes it and acceptance/rejection of the certificate is dependent (at least in part) on the content of the extension, regardless of the criticality flag. A validation engine that does not understand the extension accepts the certificate if the extension is marked non-critical (unless factors other than this extension cause it to be rejected) and rejects the certificate if the extension is marked critical.
-----Original Message-----
From: Hoyt L. Kesterson II [mailto:hoytkesterson@xxxxxxxxxxxxx]
Sent: Thursday, July 10, 2003 8:47 PM
To: ietf-pkix@xxxxxxx
Subject: Re: What is mean by recognizing critical extensions ?valid point. i don't see much value to considering "recognizes" as meaning i've heard about the extension but have no ability to process it. this possibly should be addressed in two places1) ietf agreed terminology for stating the capabilities of an implementation2) a clean-up of both ietf and iso/itu standard terminology. somewhere i had some additional text that i considered that stated that the implementation processed the extension according to the rules specified in the standard (old osi conformance lingo)hoytHoyt,
I think the "dispute" is over the term "recognizes". Hypothetically, an implementation may not have the code to "process" a given extension, but might claim to have the code to "recognize" the extension (and thereby hope to satisfy some extended compliance criteria, if erroneously).
If one defines "recognizes" IFF "possesses the code to fully process", the dispute disappears. But then, the conjunction "recognizes AND is able to process" (highlighted below) is indeed redundant, and plausibly misleading.
Cheers! ____tony____
At 02:59 PM 7/10/2003 -0700, Hoyt L. Kesterson II wrote:
I believe that this sentence
When a certificate-using implementation recognizes and is able to process an extension, then the certificate-using implementation shall process the extension regardless of the value of the criticality flag.
means that if an implementation has the code to process an extension, it must do so. if it doesn't have the code, then it will not process an extension because it cannot process it. if, in that case, that extension is flagged critical, then it cannot use the certificate.
if anyone believe that the text says that an extension doesn't have to be processed even though there is an ability to process the extension, i.e. a belief that not being critical means that one can choose to process it or not, then i will recommend additional text for the standard to further clarify the meaning for i can see no useful result from such potential arbitrariness.
hoytTony Bartoletti 925-422-3881 <azb@xxxxxxxx>
Information Operations and Assurance Center
Lawrence Livermore National Laboratory
Livermore, CA 94551-9900