Introduction to CRL ExtensionsAppendix G Certificate and CRL Extensions 735The standard also suggests that you can define your own extensions and includethem in CRLs you issue. These extensions are called private, proprietary, or customCRL extensions and they carry information unique to your organization orbusiness. Keep in mind that applications may not able to validate CRLs thatcontain private, critical extensions, thus preventing the use of these CRLs in ageneral context.Structure of CRL ExtensionsA CRL extension consists of the following:• The object identifier (OID) for the extension; see Appendix H, “ObjectIdentifiers.”This identifier uniquely identifies the extension. It also determines the ASN.1type of value in the value field and how the value is interpreted. That is, whenan extension appears in a CRL, the OID appears as the extension ID field(extnID) and the corresponding ASN.1 encoded structure appears as the valueof the octet string (extnValue); see the examples in “Sample CertificateExtensions” on page 721.• A flag or boolean field called critical.The true or false value assigned to this field indicates whether the extensionis critical (true) or noncritical (false) to the CRL.❍ If the extension is critical and the CRL is sent to an application that doesnot understand the extension (based on the extension’s ID), the applicationmust reject the CRL.❍ If the extension is not critical and the CRL is sent to an application thatdoes not understand the extension (based on the extension’s ID), theapplication can ignore the extension and accept the CRL.• An octet string containing the DER encoding of the value of the extension.NOTE Some explanations in this chapter make reference to AbstractSyntax Notation One (ASN.1) and Distinguished Encoding Rules(DER). These are specified in the CCITT Recommendations X.208and X.209. For a quick summary of ASN.1 and DER, see A Layman’sGuide to a Subset of ASN.1, BER, and DER, which is available at RSALaboratories’ web site (http://www.rsa.com).
