[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: AKI and SKI problem with RFC 3280?
"Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx> writes:
> My code has included a check to ignore the sKID if it's less than
> 40 bits for some time now, because anything less than that is a
> danger sign implying the use of an integer sequence.
The RFC 3280 certification path validation process does not include a
check of the sKID and/or aKID; if they don't match, there is nothing
wrong with the path. Path building implementations should never rely on
them being correct. They may be useful if they are present and correct,
but as was said, may lead building algorithms astray if they are present
and incorrect. Therefore implementations should use them if they are
helpful, but not rely on their existence or fail if they are incorrect.
--Peter
+---------------------------------------------------------------+
| Peter Hesse pmhesse@xxxxxxxxxxxxxxxxxx |
| Phone: (703)934-2031 Gemini Security Solutions, Inc. |
| ICQ: 1942828 www.geminisecurity.com |
+---------------------------------------------------------------+
"Pay no attention to what the critics say; there has never been
a statue set up in honor of a critic." --Jean Sibelius