Mark:
I would have thought that perhaps there would only be a CRL entry critical
extension if some form of 'special handling' of the revoked certificate was
required, which would indicate that this certificate was only being used in
a particular application. Thus there probably should have been a
complementary critical extension in the issued certificate itself, so that
a user outside of this application, unable to perform this special handling,
would never be using the certificate.
Having a CRL receiver ignore extensions in entries revoking certificates it
doesn't have would then be beneficial in that a CA doesn't need to issue
multiple (simultaneous) CRLs for each flavour of critical extension.
Sounds logical. I shall support the clarification of the spec in the direction
you suggest.
Warwick