Test 4.4.9 is not RFC3280 compliant?

Subject: Test 4.4.9 is not RFC3280 compliant?
From: Sean Mullan <Sean.Mullan@Sun.COM>
Date: Mon, 24 Jul 2006 16:39:30 -0400
Content-transfer-encoding: 7BIT
Content-type: text/plain; format=flowed; charset=ISO-8859-1
Sender: Sean.Mullan@Sun.COM
User-Agent: Thunderbird 1.5 (X11/20060113)


I have a question about whether this test is following RFC 3280 
correctly. In the test description in the test manual, it says:

"In this test, the end entity's certificate has been revoked. In the 
intermediate CA's CRL, there is a made up critical extension in the 
crlExtensions field. [X.509 7.3] NOTE 4 - When an implementation does 
not recognize a critical extension in the crlExtensions field, it shall 
assume that identified certificates have been revoked and are no longer 
valid."

However, RFC 3280 says (in section 5.2):

"Each extension in a CRL may be designated as critical or non-critical. 
  If a CRL contains a critical extension that the application cannot 
process then the application MUST NOT use that CRL to determine the 
status of certificates."

which is different than X.509. According to RFC 3280, this CRL must be 
rejected and not used to determine revocation status. Thus, (I think) 
the expected result should be : "The path should not validate 
successfully since the status of the end entity's certificate can not be 
determined." and not "The path should not validate successfully since 
the end entity's certificate has been revoked."

Thanks,
Sean

Follow-Ups:
- Re: Test 4.4.9 is not RFC3280 compliant?
  - From: "David A. Cooper" <david.cooper@nist.gov>

Prev by Date: What happened to smime2.nist.gov?
Next by Date: Re: Test 4.4.9 is not RFC3280 compliant?
Prev by thread: Re: PKITS path validation and path discovery test suite servers unavailable tomorrow afternoon
Next by thread: Re: Test 4.4.9 is not RFC3280 compliant?

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov