Re: IP addr: 01: use NULL instead of BOOLEAN for inherit

[Russ Housley <housley@xxxxxxxxxxxx>]

Since the extension imposes constraints on the values of subordinate 
certificates, it is clear that it must be critical in CA certificates.  I 
suppose that it could be non-critical in end entity certificates, but the 
certificate user must be able to process the extension in the CA 
certificates.  Not clear there is any value in allowing it to be 
non-critical only in end entity certificates.

Russ

At 11:26 AM 7/3/2003 +1000, Manger, James H wrote:
> It seems unnecessary to set these extensions to CRITICAL.  A relying party 
> is not misled by ignoring these extensions -- it simply learns nothing new 
> about IP address and AS allocations.
>
> Perhaps making it CRITICAL is supposed to indicate that the certificate is 
> binding a public key to these addresses instead of any other type of name 
> so the subject (and subjectAltName) fields should be ignored.  If this is 
> the case, it may be better to formulate the extensions as OTHER-NAME types 
> to be used in the subjectAltName extension (in which case no other names 
> needs to be included).
>
> Perhaps making it CRITICAL is supposed to indicate that the certificate 
> should only be used in, say, Secure BGP and not for, say, secure 
> e-mail.  If this is the case, defining a new purpose identifier for the 
> extendedKeyUsage extension may be more appropriate.