Introduction to CRL ExtensionsAppendix C Certificate and CRL Extensions 359Microsoft RecommendationMicrosoft recommends this extension for all certificates.Introduction to CRL ExtensionsSince its initial publication, the X.509 standard for CRL formats has been amendedto include additional information within a CRL. Version 2, the latest version,allows you to add information as CRL extensions.The extensions defined by ANSI X9 and ISO/IEC/ITU for X.509 v2 CRLs [X.509][X9.55] enable you to associate additional attributes with CRLs. The Internet X.509Public Key Infrastructure Certificate and CRL Profile (seehttp://www.ietf.org/rfc/rfc2459.txt) recommends a set of extensions to beused in CRLs. These extensions are called standard CRL extensions.The standard also suggests that you can define your own extensions and includethem in CRLs you issue. These extensions are called private, proprietary, or customCRL extensions and they carry information unique to your organization orbusiness. Keep in mind that applications may not able to validate CRLs thatcontain private, critical extensions, thus preventing the use of these CRLs in ageneral context.Structure of CRL ExtensionsA CRL extension consists of the following:• The object identifier (OID) for the extension; see Appendix B, “ObjectIdentifiers.”This identifier uniquely identifies the extension. It also determines the ASN.1type of value in the value field and how the value is interpreted. That is, whenan extension appears in a CRL, the OID appears as the extension ID field(extnID) and the corresponding ASN.1 encoded structure appears as the valueof the octet string (extnValue); see the examples in “Sample CertificateExtensions” on page 333.NOTE Some explanations in this chapter make reference to AbstractSyntax Notation One (ASN.1) and Distinguished Encoding Rules(DER). These are specified in the CCITT Recommendations X.208and X.209. For a quick summary of ASN.1 and DER, see A Layman’sGuide to a Subset of ASN.1, BER, and DER, which is available at RSALaboratories’ web site (http://www.rsa.com).