RFC 6487, "A Profile for X.509 PKIX Resource Certificates", February 2012Source of RFC: sidr (rtg)
Errata ID: 3168
Publication Format(s) : TEXT
Reported By: David Mandelberg
Date Reported: 2012-03-26
Rejected by: Stewart Bryant
Date Rejected: 2013-05-06
Section 4.8 says:
or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize; however, a non-critical extension MAY be ignored if it is not recognized [RFC5280].
It should say:
or non-critical. A certificate-using system MUST reject the certificate if it encounters an extension not explicitly mentioned in this document. This is in contrast to RFC 5280 which allows non-critical extensions to be ignored.
Other sections of the same document contradict the original section 4.8:
Any extensions not explicitly mentioned MUST be absent. The same
applies to the CRLs used in the RPKI, that are also profiled in this
This profile does not permit the use of any other critical or
This is a technical change to the RFC and needs to be addressed though the IETF consensus process and rather than via the errata process.