Feedback regarding FIA_X509_EXT.1 testing

[jfisherbah]

FIA_X509_EXT.1 Test 8 looks like it is intended to cover the following from RFC 5280 section 6.1: "Note that clients MUST reject the certificate if it contains an unsupported critical extension."

However, this test presumes that such an extension exists. Theoretically it is possible that the TSF supports all critical extensions and therefore there is no situation where this test could correctly result in a failure.

For consistency's sake it may be beneficial to label this test as conditional based on the TSF not supporting at least one critical extension. However, if this was done there is an expectation that the SFR itself would require an enumeration of the supported critical extensions.

RFC 5280 doesn't do a clear job enumerating what extensions are critical or not, only discussion for how to handle critical vs non-critical. It seems like this requirement and the corresponding test would benefit from clarification since it's mainly discussed in the application note rather than in an SFR itself.

[jfisherbah]

X.509 extensions are not limited so it is possible that all registered extensions are processed but a new one can still be introduced and marked critical. Note added to test 8. Believe this issue can be closed.