It does exist. Now do I trust the existing certificate validation code to do the right thing in all cases in presence of the extension? Not one second.