I would suggest that perhaps there is a critical extension that would need to
be placed in all certificates issued by this [P]CA:
Not sure I follow you here. Provided default CRL-processing gives safest
behaviour, I cannot see why any of this is necessary.
It appeared to me that Bob Jueneman's example was attaching more semantics to
the revocation operations than what would be required from X.509: this
critical extension would effectively say "This is not an ordinary certificate"
so that all other, plain-X.509-based, applications never make use of it.
I would hope however that there's a better mechanism than "ships that pass in
the night" certificates for actual applications.
As I have stated before, critical extensions are dangerous for
interoperability reasons, hence should be avoided unless there is any risk
of an older system behaving insecurely by virtue of its having ignored a
newer extension.
agree.
------------------------------------------------------------
Mark Wahl; M(_dot_)Wahl(_at_)isode(_dot_)com; ISODE Consortium;
http://www.isode.com/