Endpoint Encryption

Hi,

Recently a trading partner obtained an SMIME cert from Symantec.  Our software still runs with Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2).  There is a known internal defect with java 1.4.2 in relation processing the "critical" Extended Key Usage extension for non-CA certificates.

The question is why would Symantec issue the certificate to a customer with extension as critical where in RFC5280, which deals with certificate extensions (http://www.rfc-editor.org/rfc/rfc5280.txt ) has a caveat of "certificate issuers are cautioned that marking such extensions as critical may inhibit interoperability"?

May a customer request of Symantec a certificate with Exhanced Key Usage set to criticality=false instead of true?  Our old software does recognize the KeyUsage in the cert but does not process it when criticality=true but does when criticality=false.

Looking for reasons why Symantec sets Certificate Extensions of Extended Key Usage to criticality=true versus criticality=false, as recommended in RFC5280 and whether it is a simple request to reissue with criticality=false.

Thank you for your time.

I think you will get more information/response in the Authentication Services section on the Connect Forums here. That part deals with the Symantec / Verisign issued certificates, also the link below points to their KB section (I could not quickly find there any info on the critical / non critical issue you are describing).

https://www-secure.symantec.com/connect/security/forums/authentication-services

https://knowledge.verisign.com/support/digital-id-support/index.html