[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Error in Path Validation description in RFC2549?

To: ietf-pkix@xxxxxxx
Subject: Error in Path Validation description in RFC2549?
From: Michael Elkins <Michael_Elkins@xxxxxxx>
Date: Mon, 8 Feb 1999 13:59:41 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Mail-followup-to: ietf-pkix@imc.org
Sender: owner-ietf-pkix@xxxxxxx

In RFC2549, Section 6.1 ("Basic Path Validation"), paragraph 7, it is
stated:

   The actions performed by the path processing software for each
   certificate i=1 through n are described below.  The self-signed
   certificate is certificate i=1, the end entity certificate is i=n.
   The processing is performed sequentially, so that processing
   certificate i affects the state variables for processing certificate
   (i+1). Note that actions (h) through (m) are not applied to the end
   entity certificate (certificate n).

Below that, item (h) is described:

      (h)  Recognize and process any other critical extension present in
      the certificate.

The last statement of the first paragraph would seem to indicate that critical
extensions in the end entity certificate can be ignored.  However, in
section 4.2 ("Standard Certificate Extensions"), paragraph 1, it is stated:

   A certificate using system MUST reject the certificate if it encounters
   a critical extension it does not recognize; however, a non-critical
   extension may be ignored if it is not recognized.

Unless I am misreading something, this text is inconsistent..  The latter is
clearly the correct procedure, is it not?

me

Follow-Ups:
- Re: Error in Path Validation description in RFC2549?
  - From: Russ Housley

Prev by Date: Usage of CRL Issuing Distribution Point
Next by Date: Re: Finding PKIX Servers!
Previous by thread: Usage of CRL Issuing Distribution Point
Next by thread: Re: Error in Path Validation description in RFC2549?
Index(es):
- Date
- Thread