[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Chaining of Key Identifiers

To: ietf-pkix@xxxxxxx
Subject: Chaining of Key Identifiers
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Mon, 04 Jun 2001 15:24:19 -0400
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Yassir:

Your old message was recently brought to my attention. Since it appears that has gone unanswered, I will try to resolve this issue now.

Regarding authority key identifiers, Son-of-RFC2459 says:

   The keyIdentifier field of the authorityKeyIdentifier extension MUST
   be included in all certificates generated by conforming CAs to
   facilitate chain building.  There is one exception; where a CA
   distributes its public key in the form of a "self-signed"
   certificate, the authority key identifier MAY be omitted.  In this
   case, the subject and authority key identifiers would be identical.

And, for subject key identifiers:

   To facilitate chain building, this extension MUST appear in all
   conforming CA certificates, that is, all certificates including the
   basic constraints extension (see sec. 4.2.1.10) where the value of cA
   is TRUE.  The value of the subject key identifier MUST be the value
   placed in the key identifier field of the Authority Key Identifier
   extension (see sec. 4.2.1.1) of certificates issued by the subject of
   this certificate.

Our intent by these paragraphs is to require the inclusion of key identifiers to facilitate certification path construction. We do not intend to reject a certification path that meets all of the requirements specified in section 6.

These identifiers are in non-critical extensions, to this end, they can legally be ignored by any client.

Russ

> I have a question about the chaining of SubjectKeyIdentifiers and AuthorityKeyIdentifiers. > Although RFC2459 and the son-of-RFC2459 both RECOMMEND application support > for the authority and subject key identifier extensions, neither document clearly specifies > under what circumstances, if any, should the application reject a certification path based > on invalid key identifier chaining. > > I was wondering whether rules apply to key identifier chaining. > In other words, should we have a step like: > (6) [Verify that] The certificate authority key identifier is the > working_AKI, meaning: > (i) working_AKI is non-null and matches the value in > the authorityKeyIdentifier field, or > (ii) working_AKI is null and the authorityKeyIdentifier field is > not present. > > It is unclear to me whether the key identifiers are just meant to FACILITATE > chain building, or whether they are actually meant to be enforced in > path validation. > > Thanks in advance, > Yassir.

Prev by Date: Re: draft delta crl text
Next by Date: Re: CRLs doubts...
Previous by thread: I-D ACTION:draft-ietf-pkix-ac509prof-07.txt
Next by thread: re: Need verification of Issuing DP against CRL DP in son-of-2459
Index(es):
- Date
- Thread