[IETF-PKIX] Dave's Critical Proposal

[John Pawling <jsp@xxxxxxxxxxxxx>]

Dave,

You stated:
>It's worth remembering that the criticality flag does *not* affect the
>meaning of an extension; the flag's sole purpose is to cause
>applications which do not understand the extension to reject the
>certificate.  If an application does understand an extension, it makes
>absolutely no difference whether the extension is marked critical or
>not - the critical flag should not even be examined.  The recent
>discussion of certificatePolicies stirred up some mud in this area -
>it's probably a good idea to specify the purpose *and the non-purpose*
>of the critical flag more explicitly in section 4.2.  Something like:
>
>  "If an implementation recognizes the syntax of a particular extension,
>   the value of the critical boolean in that extension SHALL be ignored."


I believe that your text expresses the original intention of the critical
flag, but there are several cases in the 1997 X.509 Recommendation in which
the critical flag is used for purposes beyong the original intent.  X.509,
Sec 12.4.3, states special processing requirements for certificatePolicies
extensions that are flagged critical.  Also, X.509, Sec 12.6.2, states
special requirements associated with CRLDistributionPoint extensions that
are marked critical.  Therefore, your proposed text should not be added to
PKIX I because it would be contradictory to the X.509 Recommendation.

================================
John Pawling
jsp@jgvandyke.com
J.G. Van Dyke & Associates, Inc.
================================