[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Authority Key Identifier

To: "'Denis Issoupov'" <dissoupo@xxxxxxxxxxx>
Subject: RE: Authority Key Identifier
From: "Jong 't, D (Dennis)" <D.Jong@xxxxxxxxxxxxxx>
Date: Thu, 24 Oct 2002 16:00:08 +0200
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Denis,

I agree with you that it is possible for an AKI to be not-unique; it is just
a field in a certificate. But then a CA must be introduced into the PKI
which issues certificates with "pre-defined" AKI's. Since those certificates
are signed by a non-trusted CA, we will reject the "fraudulent" certificate
by the (web) server. By this, the false AKI is not processed at all.

Met vriendelijke groet/with kind regards,
 
Dennis 't Jong

> -----Oorspronkelijk bericht-----
> Van: Denis Issoupov [mailto:dissoupo@xxxxxxxxxxx]
> Verzonden: donderdag 24 oktober 2002 15:05
> Aan: Jong 't, D (Dennis); ietf-pkix@xxxxxxx
> Onderwerp: RE: Authority Key Identifier
> 
> 
> I think, AKI should not be used for that purpose.
> Anyone can create a certificate with a predefined AKI...
> 
> 
> Denis Issoupov
> Senior Software Developer
> ALACRIS Inc.
> * Voice: 613-230-9762 x239  * Fax: 613-230-9702
> * Cell: 613-294-5948
> * E-mail: dissoupo@xxxxxxxxxxx * Web: www.alacris.com
> 
> Find out more about the best OCSP Client for Windows at
> http://www.ocspclient.com
> 
>  
> 
> 
> 
> > -----Original Message-----
> > From: Jong 't, D (Dennis) [mailto:D.Jong@xxxxxxxxxxxxxx] 
> > Sent: Thursday, October 24, 2002 2:04 AM
> > To: 'ietf-pkix@xxxxxxx'
> > Subject: RE: Authority Key Identifier
> > 
> > 
> > 
> > Thank you all for the (quick) responses. I now have a better 
> > feeling of the AKI. The suggested books/artickes are taken 
> > into consideration.
> > 
> > We need the AKI to be able to select the proper RA/CA 
> > combination for a Certificate Roll-over. MS IIS will do this 
> > selection using an ISAPI filter/extension. After the proper 
> > RA/CA are selected, RSA Keon will perform a certificate update.
> > 
> > Met vriendelijke groet/with kind regards,
> >  
> > Dennis 't Jong
> > Technisch Specialist
> > Windows Server Management O&O - Beveiliging
> > 
> > Rabobank ICT           Tel:    +31 30 21 52772
> > Kamer ZL-R255          Fax:    +31 30 21 51893
> > Laan van Eikenstein 9  Mobiel: +31 6 24481180
> > 3705 AR Zeist          Email:  D.Jong@xxxxxxxxxxxxxx 
> >                        Web:    http://www.RabobankICT.nl 
> > 
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: Hamrick, Matt [mailto:HamrickM@xxxxxxxxxxxxx]
> > > Verzonden: woensdag 23 oktober 2002 16:19
> > > Aan: 'Jong 't, D (Dennis)'
> > > CC: 'ietf-pkix@xxxxxxx'
> > > Onderwerp: RE: Authority Key Identifier
> > > 
> > > 
> > > Also... as a followup to Denis' response, you can find
> > > information about
> > > ASN.1 and BER encoding in the X.680 family of specifications. 
> > > Burt Kalliski
> > > has also authored an article titled "a layman's guide to 
> > > ASN.1" You can
> > > search google or cryptonomicon.net to find the URLs for these 
> > > articles. As a
> > > fyi, most ITU specs cost money, but they allow people to 
> > > download two or
> > > three without charge each year. If you're going to spend 
> > > money trying to
> > > figure out ASN.1 and BER (and you really should figure these 
> > > things out if
> > > you have to do serious certificate work,) there are a couple 
> > > of books on
> > > ASN.1 I saw referenced on cryptonomicon.net. I think you 
> > > could go there or
> > > amazon.com and search for "ASN.1". I think I saw the book 
> by Olivier
> > > Dubuisson and thought it was a reasonable introduction to 
> > the subject.
> > > 
> > > -----Original Message-----
> > > From: Jong 't, D (Dennis) [mailto:D.Jong@xxxxxxxxxxxxxx]
> > > Sent: Monday, October 21, 2002 7:29 AM
> > > To: 'ietf-pkix@xxxxxxx'
> > > Subject: Authority Key Identifier
> > > 
> > > 
> > > 
> > > LS,
> > > 
> > > I have a question regarding the Authority Key Identifier
> > > (AKI) in an x509
> > > certificate. When we resolve the AKI from the "CERT_CONTEXT" 
> > > (MS IIS), it
> > > returns a 24 bytes structure, like:
> > > 30 16 80 14 b2 b6 f2 cb eb d0 b2 26 79 eb 8b 99 74 77 e2 df 
> > > 2f d5 20 69
> > > 
> > > The AKI should be 20 bytes long (RFC 2459, 4.2.1.2 using 160
> > > bit SHA-1),
> > > like:
> > > b2 b6 f2 cb eb d0 b2 26 79 eb 8b 99 74 77 e2 df 2f d5 20 69
> > > 
> > > Does anyone know the purpose of those 4 trailing bytes? If
> > > Yes, is it save
> > > to cut them off to substract the original AKI?
> > > 
> > > Met vriendelijke groet/with kind regards,
> > >  
> > > Dennis 't Jong
> > > Technisch Specialist
> > > Windows Server Management O&O - Beveiliging
> > > 
> > > Rabobank ICT           Tel:    +31 30 21 52772
> > > Kamer ZL-R255          Fax:    +31 30 21 51893
> > > Laan van Eikenstein 9  Mobiel: +31 6 24481180
> > > 3705 AR Zeist          Email:  D.Jong@xxxxxxxxxxxxxx 
> > > Nederland              Web:    http://www.RabobankICT.nl 
> > > 
> > > 
> > > 
> > > 
> > > ================================================
> > > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
> > > is uitsluitend bestemd voor de geadresseerde. Indien u 
> dit bericht 
> > > onterecht ontvangt, wordt u verzocht de inhoud niet te 
> gebruiken en 
> > > de afzender direct te informeren door het bericht te retourneren. 
> > > ================================================
> > > The information contained in this message may be confidential 
> > > and is intended to be exclusively for the addressee. Should you 
> > > receive this message unintentionally, please do not use the 
> > contents 
> > > herein and notify the sender immediately by return e-mail.
> > > 
> > > 
> > > 
> > 
> > 
> > ================================================
> > De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
> > is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
> > onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en 
> > de afzender direct te informeren door het bericht te retourneren. 
> > ================================================
> > The information contained in this message may be confidential 
> > and is intended to be exclusively for the addressee. Should you 
> > receive this message unintentionally, please do not use the 
> contents 
> > herein and notify the sender immediately by return e-mail.
> > 
> > 
> > 
> 
> 


================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en 
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht 
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en 
de afzender direct te informeren door het bericht te retourneren. 
================================================
The information contained in this message may be confidential 
and is intended to be exclusively for the addressee. Should you 
receive this message unintentionally, please do not use the contents 
herein and notify the sender immediately by return e-mail.
Prev by Date: RE: Authority Key Identifier
Next by Date: RE: draft-ietf-pkix-logotypes-06.txt
Previous by thread: RE: Authority Key Identifier
Next by thread: I-D ACTION:draft-ietf-pkix-proxy-03.txt
Index(es):
- Date
- Thread