It is generally considered a requirement that certificates be DER encoded (meaning not BER), although RFC 5280 is not crystal clear on this. In any case, the non-properly-DER encoding of some certificate fields has historically been considered a compliance error, as it can be seen on https://bugzilla.mozilla.org, therefore it's useful to be able to detect it.
Among other things, DER stipulates that "the encoding of a set value or sequence value shall not include an encoding for any component value which is equal to its default value" (see X.690). Therefore, when a certificate extension is not critical, its 'critical' field should be omitted. This lint checks just that.
It is generally considered a requirement that certificates be DER encoded (meaning not BER), although RFC 5280 is not crystal clear on this. In any case, the non-properly-DER encoding of some certificate fields has historically been considered a compliance error, as it can be seen on https://bugzilla.mozilla.org, therefore it's useful to be able to detect it.
Among other things, DER stipulates that "the encoding of a set value or sequence value shall not include an encoding for any component value which is equal to its default value" (see X.690). Therefore, when a certificate extension is not critical, its 'critical' field should be omitted. This lint checks just that.