[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authority Key Identifier

To: "Jong 't, D (Dennis)" <D.Jong@xxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Authority Key Identifier
From: "Denis Issoupov" <dissoupo@xxxxxxxxxxx>
Date: Thu, 24 Oct 2002 09:04:56 -0400
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcJ7MAKEcqbQc1quQrCwy5CL/bhu8QALWcOg
Thread-topic: Authority Key Identifier

I think, AKI should not be used for that purpose.
Anyone can create a certificate with a predefined AKI...


Denis Issoupov
Senior Software Developer
ALACRIS Inc.
* Voice: 613-230-9762 x239  * Fax: 613-230-9702
* Cell: 613-294-5948
* E-mail: dissoupo@xxxxxxxxxxx * Web: www.alacris.com

Find out more about the best OCSP Client for Windows at
http://www.ocspclient.com

 



> -----Original Message-----
> From: Jong 't, D (Dennis) [mailto:D.Jong@xxxxxxxxxxxxxx] 
> Sent: Thursday, October 24, 2002 2:04 AM
> To: 'ietf-pkix@xxxxxxx'
> Subject: RE: Authority Key Identifier
> 
> 
> 
> Thank you all for the (quick) responses. I now have a better 
> feeling of the AKI. The suggested books/artickes are taken 
> into consideration.
> 
> We need the AKI to be able to select the proper RA/CA 
> combination for a Certificate Roll-over. MS IIS will do this 
> selection using an ISAPI filter/extension. After the proper 
> RA/CA are selected, RSA Keon will perform a certificate update.
> 
> Met vriendelijke groet/with kind regards,
>  
> Dennis 't Jong
> Technisch Specialist
> Windows Server Management O&O - Beveiliging
> 
> Rabobank ICT           Tel:    +31 30 21 52772
> Kamer ZL-R255          Fax:    +31 30 21 51893
> Laan van Eikenstein 9  Mobiel: +31 6 24481180
> 3705 AR Zeist          Email:  D.Jong@xxxxxxxxxxxxxx 
>                        Web:    http://www.RabobankICT.nl 
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: Hamrick, Matt [mailto:HamrickM@xxxxxxxxxxxxx]
> > Verzonden: woensdag 23 oktober 2002 16:19
> > Aan: 'Jong 't, D (Dennis)'
> > CC: 'ietf-pkix@xxxxxxx'
> > Onderwerp: RE: Authority Key Identifier
> > 
> > 
> > Also... as a followup to Denis' response, you can find
> > information about
> > ASN.1 and BER encoding in the X.680 family of specifications. 
> > Burt Kalliski
> > has also authored an article titled "a layman's guide to 
> > ASN.1" You can
> > search google or cryptonomicon.net to find the URLs for these 
> > articles. As a
> > fyi, most ITU specs cost money, but they allow people to 
> > download two or
> > three without charge each year. If you're going to spend 
> > money trying to
> > figure out ASN.1 and BER (and you really should figure these 
> > things out if
> > you have to do serious certificate work,) there are a couple 
> > of books on
> > ASN.1 I saw referenced on cryptonomicon.net. I think you 
> > could go there or
> > amazon.com and search for "ASN.1". I think I saw the book by Olivier
> > Dubuisson and thought it was a reasonable introduction to 
> the subject.
> > 
> > -----Original Message-----
> > From: Jong 't, D (Dennis) [mailto:D.Jong@xxxxxxxxxxxxxx]
> > Sent: Monday, October 21, 2002 7:29 AM
> > To: 'ietf-pkix@xxxxxxx'
> > Subject: Authority Key Identifier
> > 
> > 
> > 
> > LS,
> > 
> > I have a question regarding the Authority Key Identifier
> > (AKI) in an x509
> > certificate. When we resolve the AKI from the "CERT_CONTEXT" 
> > (MS IIS), it
> > returns a 24 bytes structure, like:
> > 30 16 80 14 b2 b6 f2 cb eb d0 b2 26 79 eb 8b 99 74 77 e2 df 
> > 2f d5 20 69
> > 
> > The AKI should be 20 bytes long (RFC 2459, 4.2.1.2 using 160
> > bit SHA-1),
> > like:
> > b2 b6 f2 cb eb d0 b2 26 79 eb 8b 99 74 77 e2 df 2f d5 20 69
> > 
> > Does anyone know the purpose of those 4 trailing bytes? If
> > Yes, is it save
> > to cut them off to substract the original AKI?
> > 
> > Met vriendelijke groet/with kind regards,
> >  
> > Dennis 't Jong
> > Technisch Specialist
> > Windows Server Management O&O - Beveiliging
> > 
> > Rabobank ICT           Tel:    +31 30 21 52772
> > Kamer ZL-R255          Fax:    +31 30 21 51893
> > Laan van Eikenstein 9  Mobiel: +31 6 24481180
> > 3705 AR Zeist          Email:  D.Jong@xxxxxxxxxxxxxx 
> > Nederland              Web:    http://www.RabobankICT.nl 
> > 
> > 
> > 
> > 
> > ================================================
> > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
> > onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en 
> > de afzender direct te informeren door het bericht te retourneren. 
> > ================================================
> > The information contained in this message may be confidential 
> > and is intended to be exclusively for the addressee. Should you 
> > receive this message unintentionally, please do not use the 
> contents 
> > herein and notify the sender immediately by return e-mail.
> > 
> > 
> > 
> 
> 
> ================================================
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
> is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
> onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en 
> de afzender direct te informeren door het bericht te retourneren. 
> ================================================
> The information contained in this message may be confidential 
> and is intended to be exclusively for the addressee. Should you 
> receive this message unintentionally, please do not use the contents 
> herein and notify the sender immediately by return e-mail.
> 
> 
>

Prev by Date: Re: draft-ietf-pkix-logotypes-06.txt
Next by Date: RE: Authority Key Identifier
Previous by thread: RE: Authority Key Identifier
Next by thread: RE: Authority Key Identifier
Index(es):
- Date
- Thread