Steve,
You are right the I meant to refer to 1422, not 1424. I also
agree with your observation that a certificate is validated only with
respect to a given certification context. RFC 1422 defines what is
required to validate a certificate for use with PEM, relative to the
only certification context currently defined for the Internet. The
RFC explicitly acknowledges the possibility that CAs might sign
certificates that are NOT used with PEM and that these certificates
might not conform to the constraints established for certificates that
are accepted by PEM implementations. Thus, for example, a CA might
issue cross-certificates and users might have forward and reverse
certificates, but these have no relevance to compliant PEM user
agents, i.e., the existance of the certificates is not supposed to
affect the validation procedure defined for a PEM UA.
RFC 1422 establishes not only the requirements for an Internet
certification infrastructure in support of PEM, but also establishes
the requirements for how a compliant PEM implementation validates
certificates. In this latter context, the RFC specifies the complete
set of rules for certificate validation, not a subset. If the
specification were interpreted as being only a subset of the rules a
PEM UA could implement, then an implementation could apply other rules
that might conflcit with the rules in the RFC and the user would have
to be informed under what other rules (defined in what RFC?) the
certificate was validated. If you agree that a user can be easily
overloaded by a complex set of validation rules and by presentation of
lots of validation data, then this interpretation of 1422, as
specifying only a subset of validation rules, certianly has its
drawbacks.
Steve