Authority Key Identifier

["Jong 't, D (Dennis)" <D.Jong@xxxxxxxxxxxxxx>]

LS,

I have a question regarding the Authority Key Identifier (AKI) in an x509
certificate. When we resolve the AKI from the "CERT_CONTEXT" (MS IIS), it
returns a 24 bytes structure, like:
30 16 80 14 b2 b6 f2 cb eb d0 b2 26 79 eb 8b 99 74 77 e2 df 2f d5 20 69

The AKI should be 20 bytes long (RFC 2459, 4.2.1.2 using 160 bit SHA-1),
like:
b2 b6 f2 cb eb d0 b2 26 79 eb 8b 99 74 77 e2 df 2f d5 20 69

Does anyone know the purpose of those 4 trailing bytes? If Yes, is it save
to cut them off to substract the original AKI?

Met vriendelijke groet/with kind regards,
 
Dennis 't Jong
Technisch Specialist
Windows Server Management O&O - Beveiliging 

Rabobank ICT           Tel:    +31 30 21 52772
Kamer ZL-R255          Fax:    +31 30 21 51893
Laan van Eikenstein 9  Mobiel: +31 6 24481180
3705 AR Zeist          Email:  D.Jong@xxxxxxxxxxxxxx 
Nederland              Web:    http://www.RabobankICT.nl 




================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
================================================
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.