|
I have come a cross a potential problem with RFC 3280 when working on the
new ETSI Certificate profile standard for identity certs. RFC 3280 states: 4.2.1.1 The value of the
keyIdentifier field SHOULD be derived from the public key used to verify the
certificate's signature or a method that generates unique values. Two common methods for generating
key identifiers from the public
key, and one common
method for generating unique values, are described in
section 4.2.1.2 4.2.1.2 One common method for generating unique
values is a monotonically increasing sequence of integers. This means that a CA, following the
recommendation can assign key identifier values of e.g. 1, 2, 3, 4, 5, 6,..., n If many different CA:s would follow the “monotonically increasing sequence of integers“ procedure, multiple unrelated certificates
would end up having the same SKI and/or AKI values relating to completely
different public keys. I’m not sure how most path building clients
would handle a situation like that, but I fear that at least some would fail. Isn’t the point that AKI:s and SKI:s
should use a generation algorithm that assigns them a globally unique value
with high probability and therefore SHOULD be derived from the public key and
NOT use a “monotonically
increasing sequence of integers“. At least not starting from a small integer? /Stefan |