You might be interested in how Kerberos uses ASN.1, with extension messages having a field that describes whether understanding the extension is required (this is important if extension covers information that might change the result of authorization operation, for example)