RFC Errata
RFC 6487, "A Profile for X.509 PKIX Resource Certificates", February 2012
Source of RFC: sidr (rtg)
Errata ID: 3168
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: David Mandelberg
Date Reported: 2012-03-26
Rejected by: Stewart Bryant
Date Rejected: 2013-05-06
Section 4.8 says:
or non-critical. A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize; however, a non-critical extension MAY be ignored if it is not recognized [RFC5280].
It should say:
or non-critical. A certificate-using system MUST reject the certificate if it encounters an extension not explicitly mentioned in this document. This is in contrast to RFC 5280 which allows non-critical extensions to be ignored.
Notes:
Other sections of the same document contradict the original section 4.8:
Section 1:
Any extensions not explicitly mentioned MUST be absent. The same
applies to the CRLs used in the RPKI, that are also profiled in this
document.
Section 8:
Certificate Extensions:
This profile does not permit the use of any other critical or
non-critical extensions.
--VERIFIER NOTES--
This is a technical change to the RFC and needs to be addressed though the IETF consensus process and rather than via the errata process.