Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames

[Warwick Ford <wford@xxxxxxxxxxxx>]

Dave:

At 09:30 AM 12/31/97 -0500, David P. Kemp wrote:
>It's worth remembering that the criticality flag does *not* affect the
>meaning of an extension; the flag's sole purpose is to cause
>applications which do not understand the extension to reject the
>certificate.  If an application does understand an extension, it makes
>absolutely no difference whether the extension is marked critical or
>not - the critical flag should not even be examined.  The recent
>discussion of certificatePolicies stirred up some mud in this area -
>it's probably a good idea to specify the purpose *and the non-purpose*
>of the critical flag more explicitly in section 4.2.  Something like:
>
>  "If an implementation recognizes the syntax of a particular extension,
>   the value of the critical boolean in that extension SHALL be ignored."

This would be going too far.  A critical extension conveys semantics that a
conforming implementation must implement, otherwise not use the
certificate.  With a non-critical extension, there is no requirement to
implement particular semantics -- the extension may be ignored, regardless
of whether or not the implmentation recognizes the syntax.

Warwick

---------------------------------------------------------------------
Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
---------------------------------------------------------------------