Re: Error in Path Validation description in RFC2549?

[Russ Housley <housley@xxxxxxxxxx>]

Thank you for pointing out the error.  That paragraph should read:

   The actions performed by the path processing software for each
   certificate i=1 through n are described below.  The self-signed
   certificate is certificate i=1, the end entity certificate is i=n.
   The processing is performed sequentially, so that processing
   certificate j affects the state variables for processing certificate
   (j+1). Note that actions (i) through (m) are not applied to the end
   entity certificate (certificate i=n).

Russ

At 01:59 PM 2/8/99 -0800, Michael Elkins wrote:
>In RFC2549, Section 6.1 ("Basic Path Validation"), paragraph 7, it is
>stated:
>
>   The actions performed by the path processing software for each
>   certificate i=1 through n are described below.  The self-signed
>   certificate is certificate i=1, the end entity certificate is i=n.
>   The processing is performed sequentially, so that processing
>   certificate i affects the state variables for processing certificate
>   (i+1). Note that actions (h) through (m) are not applied to the end
>   entity certificate (certificate n).
>
>Below that, item (h) is described:
>
>      (h)  Recognize and process any other critical extension present in
>      the certificate.
>
>The last statement of the first paragraph would seem to indicate that critical
>extensions in the end entity certificate can be ignored.  However, in
>section 4.2 ("Standard Certificate Extensions"), paragraph 1, it is stated:
>
>   A certificate using system MUST reject the certificate if it encounters
>   a critical extension it does not recognize; however, a non-critical
>   extension may be ignored if it is not recognized.
>
>Unless I am misreading something, this text is inconsistent..  The latter is
>clearly the correct procedure, is it not?
>
>me