Message info
To:Stephen Kent From:Martin Rex Subject:Re: [pkix] Proposal: Change the Criticality Requirement of Name Date:Thu, 5 Apr 2012 22:40:39 +0200 (MEST)

Stephen Kent wrote:
> At 8:47 PM -0400 4/4/12, Santosh Chokhani wrote:
> >This is quite silly conversation. RP should NOT reject certificate
> >because the criticality flag was not per the standard.
> I think the technically correct statement replaces "should not" with
> "need not."

The behaviour standardized by rfc5280 is equivalent to SHOULD NOT:

rfc5280 section 6.1 Basic Path Validation, 2nd paragaph:

While the certificate and CRL profiles specified in Sections 4 and 5
of this document specify values for certificate and CRL fields and
extensions that are considered to be appropriate for the Internet
PKI, the algorithm presented in this section is not limited to
accepting certificates and CRLs that conform to these profiles.
Therefore, the algorithm only includes checks to verify that the
certification path is valid according to X.509 and does not include
checks to verify that the certificates and CRLs conform to this
profile. While the algorithm could be extended to include checks for
conformance to the profiles in Sections 4 and 5, this profile
RECOMMENDS against including such checks.

pkix mailing list