At 11:52 AM +0100 1/31/07, Simon Josefsson wrote:
Hi! I'm not certain how to populate the Authority Key Identifiers field, and draft-ietf-pkix-rfc3280bis-07.txt appear to give me two different solutions to my problem. I'd appreciate some advice here. Our problem is when signing new certificates, the Authority Key Identifier fields we generate for the new certificate doesn't necessarily match the Subject Key Identifier field in the CA certificate.
Then you have a bug :-).The text in 3280 that allows for choices in how to generate an AKI/SKI is not meant to override the path discovery logic that motivates the existence of these extensions. The choices offered re how to compute these values are there to accommodate different AKI/SKI determination options, but one must still maintain consistency between the option used for both values, when acting as a CA (vs. as a subject). If you don't, then RPs cannot make use of the AKI/SKI pair to disambiguate among multiple CA certs with the same Subject name.
... A related question is whether non-matching AKI/SKI's should trigger certificate chain validation failures. I cannot find where such a check is required in draft-ietf-pkix-rfc3280bis-07.txt. We know there are software out there that performs this test, since that is what prompted me to debug this problem. Would such behaviour be incorrect?
The SKI/AKI extensions are used for path discovery, not path validation, so one ought not consider a cert invalid if these fields do not match.
Steve