Dear All A colleague has been testing how various browsers behave when faced with SSL certificates with various extensions marked critical or not-critical. He has found that the browsers behave in different ways. He says that one of the problems is that the standard is not specific enough on how the browsers should behave in all circumstances. Here is one scenario to consider. An extension is marked critical and the RP software understands the extension but only implements part of it (say it has an OID for describing elements of it, or it is a set of choices). Does the text in X.509 say how the RP should handle this? I think not. Should the unknown parts of the extension be ignored or should the entire certificate be rejected? e.g. the extension is Subject Alt Names and some of the names are understood and some are not. As a side issue, an RP can decide to accept any certificate, regardless of what the CA says in the certificate (and some browsers allow the user to do this). In this case the CA wont accept any liability and the RP is acting outside the standard. But is this stated clearly enough in the standard? regards David -- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Skype Name: davidwchadwick Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@xxxxxxxxxx Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 ***************************************************************** ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.