[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AKI and SKI problem with RFC 3280?

To: Stefan Santesson <stefans@xxxxxxxxxxxxx>
Subject: Re: AKI and SKI problem with RFC 3280?
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Tue, 21 Oct 2003 10:46:51 -0400
Cc: Peter Hesse <pmhesse@xxxxxxxxxxxxxxxxxx>, Peter Gutmann <pgut001@xxxxxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx, housley@xxxxxxxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Stefan Santesson wrote:
> What is in fact the current behaviour of applications today:
> 
> Do they:
> 1) Not even try to validate the path since issuer/subject don't match
> 2) Fail validation and display error
> 3) Fail validation, then goes back and search for another path

In Sun's JDK 1.4.x, we ignore AKI/SKI so an AKI/SKI match
on unrelated certs is not a problem for us. I guess that
falls into category 3).

> In case there would be a followup to RFC 3280 my feeling is that
> increasing integers should be deprecated.

It's fine to deprecate this option (probably a
good idea), but we should also warn that AKI/SKI
may not match and that's fine. Nothing in RFC 3280
says this currently and that seems to be confusing
for implementors.

Thanks,

Steve Hanna

References:
- RE: AKI and SKI problem with RFC 3280?
  - From: Stefan Santesson

Prev by Date: Re: AKI and SKI problem with RFC 3280?
Next by Date: RE: I-D ACTION:draft-ietf-pkix-certpathbuild-01.txt
Previous by thread: RE: AKI and SKI problem with RFC 3280?
Next by thread: Re: AKI and SKI problem with RFC 3280?
Index(es):
- Date
- Thread