Mark:
I would have thought that perhaps there would only be a CRL entry critical
extension if some form of 'special handling' of the revoked certificate was
required, which would indicate that this certificate was only being used in
a particular application. Thus there probably should have been a
complementary critical extension in the issued certificate itself, so that
a user outside of this application, unable to perform this special handling,
would never be using the certificate.
Having a CRL receiver ignore extensions in entries revoking certificates it
doesn't have would then be beneficial in that a CA doesn't need to issue
multiple (simultaneous) CRLs for each flavour of critical extension.
Sounds logical. I shall support the clarification of the spec in the
direction
you suggest.
I agree that it seems reasonable to ignore critical extensions in individual
certificates that you are not interested in anyway.
I think we ought to try hard to think up some examples before we make up our
minds on this. I'd hate to have to come back and redo it later on.
Bob
--------------------------------
Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
FAX: 1-617-466-2603
Voice: 1-617-466-2820