RE: Test 4.4.9 is not RFC3280 compliant?

["Seth Hitchings" <shitchings@corestreet.com>]

Dave, 

Should this also apply to test 4.4.8, which relates to unrecognized critical
CRL entry extensions? RFC 3280 carries the same language for both cases.

Seth

-----Original Message-----
From: pkits@NIST.GOV [mailto:pkits@NIST.GOV] On Behalf Of David A. Cooper
Sent: Monday, July 24, 2006 6:06 PM
To: Multiple recipients of list
Subject: Re: Test 4.4.9 is not RFC3280 compliant?


Sean,

You are correct.  When I wrote the description for this test, I did so based
on X.509.  After PKITS was completed, X.509 was changed to align with RFC
3280, so both now indicate that a CRL with an unrecognized critical CRL
extension cannot be used to determine the status of a certificate.

Dave

Sean Mullan wrote:

> I have a question about whether this test is following RFC 3280 
> correctly. In the test description in the test manual, it says:
>
> "In this test, the end entity's certificate has been revoked. In the 
> intermediate CA's CRL, there is a made up critical extension in the 
> crlExtensions field. [X.509 7.3] NOTE 4 - When an implementation does 
> not recognize a critical extension in the crlExtensions field, it 
> shall assume that identified certificates have been revoked and are no 
> longer valid."
>
> However, RFC 3280 says (in section 5.2):
>
> "Each extension in a CRL may be designated as critical or 
> non-critical.  If a CRL contains a critical extension that the 
> application cannot process then the application MUST NOT use that CRL 
> to determine the status of certificates."
>
> which is different than X.509. According to RFC 3280, this CRL must be 
> rejected and not used to determine revocation status. Thus, (I think) 
> the expected result should be : "The path should not validate 
> successfully since the status of the end entity's certificate can not 
> be determined." and not "The path should not validate successfully 
> since the end entity's certificate has been revoked."
>
> Thanks,
> Sean

smime.p7s