Re: Test 4.4.9 is not RFC3280 compliant?

["David A. Cooper" <david.cooper@nist.gov>]

Sean,

You are correct.  When I wrote the description for this test, I did so 
based on X.509.  After PKITS was completed, X.509 was changed to align 
with RFC 3280, so both now indicate that a CRL with an unrecognized 
critical CRL extension cannot be used to determine the status of a 
certificate.

Dave

Sean Mullan wrote:

> I have a question about whether this test is following RFC 3280 
> correctly. In the test description in the test manual, it says:
>
> "In this test, the end entity's certificate has been revoked. In the 
> intermediate CA's CRL, there is a made up critical extension in the 
> crlExtensions field. [X.509 7.3] NOTE 4 - When an implementation does 
> not recognize a critical extension in the crlExtensions field, it 
> shall assume that identified certificates have been revoked and are no 
> longer valid."
>
> However, RFC 3280 says (in section 5.2):
>
> "Each extension in a CRL may be designated as critical or 
> non-critical.  If a CRL contains a critical extension that the 
> application cannot process then the application MUST NOT use that CRL 
> to determine the status of certificates."
>
> which is different than X.509. According to RFC 3280, this CRL must be 
> rejected and not used to determine revocation status. Thus, (I think) 
> the expected result should be : "The path should not validate 
> successfully since the status of the end entity's certificate can not 
> be determined." and not "The path should not validate successfully 
> since the end entity's certificate has been revoked."
>
> Thanks,
> Sean