"Victor B. Wagner" <vi...@cryptocom.ru> writes: [...]
> This is about unexpected values in KNOWN extension. Not about totally > new extension with new OID. I think you're misreading it---I think it's talking about unexpected extensions. In any case I think the language in RFC 5280 makes it clearer (and we should assume that this was the intent of 3280): A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized. [...] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org