[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AKI and SKI problem with RFC 3280?

To: pgut001@xxxxxxxxxxxxxxxxx, ietf-pkix@xxxxxxx, stefans@xxxxxxxxxxxxx
Subject: Re: AKI and SKI problem with RFC 3280?
From: Russ Housley <housley@xxxxxxxxxxxx>
Date: Tue, 21 Oct 2003 09:16:24 -0400
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Peter:

>Isn't the point that AKI:s and SKI:s should use a generation algorithm that >assigns them a globally unique value with high probability and therefore >SHOULD be derived from the public key and NOT use a "monotonically increasing >sequence of integers". At least not starting from a small integer?
There is some reason why CAs do this, I can't remember why but I think it was
the usual ostrich algorithm ("There is no CA but us; to think otherwise is
treason punishable by limb reconstruction").  I'm not quite sure why the RFC
tells you to do this though, since the only safe response to it is to ignore
any sKIDs of that form.

The only CA that I know about that did this has changed to a hash-based alternative.

Russ

References:
- Re: AKI and SKI problem with RFC 3280?
  - From: Peter Gutmann

Prev by Date: RE: AKI and SKI problem with RFC 3280?
Next by Date: Re: AKI and SKI problem with RFC 3280?
Previous by thread: RE: AKI and SKI problem with RFC 3280?
Next by thread: RE: AKI and SKI problem with RFC 3280?
Index(es):
- Date
- Thread