Jon Callas writes:
The critical flag can called (only slightly humorously) the non-
interoperable flag.
Normally, when an implementation sees any subpacket it doesn't
understand, it ignores it. But with the critical flag, you error out
if you don't understand it.
That's not my understanding. Rather, you don't consider the signature
valid, if there is a critical subpacket you don't understand. You don't
"error out."
Now, for document signatures, failure to understand a critical notation
may in some cases be as bad as erroring-out, because whatever purpose
was meant to be expressed by creating the signature, won't happen.
But for keyring signatures, which are often redundant, we could for
example imagine a signature which says, I am not vouching for the binding
between userid and key, but rather I am making a certain assertion about
this userid or key. If we don't understand this notation the correct
thing is to ignore the signature, and that is in fact what the spec says
should happen.
Critical notations allow implementors to essentially extend signature
semantics beyond the official set of signature types. We have a protected
namespace for proprietary extensions, and we have the ability for legacy
applications silently to ignore unrecognized extensions. It's a good
feature.
Hal Finney