[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: AKI and SKI problem with RFC 3280?
Based on a review of Sections 4.2.1.2 and 4.2.1.1 of 3280, I draw the
following conclusion: A 3280 compliant CA MUST ensure that AKI and SKI chain
properly. This is sufficient for path construction. Thus, I do not see a
particular need to change 3280 in this area.
The various methods for calculating these values and their probability of
collision need not be described in 3280. As others have pointed out, AKI
and SKI need not be unique or different globally. For efficient path
development, it is sufficient that AKI and SKI be different, with high
degree of probability, for different keys of the same entity. The algorithm
chosen can be left up to the CA. The proper chaining of AKI and SKI (not
for path validation, but for path construction) is important. By proper
chaining, I mean that the SKI in certificate(s) issued to a CA for a
specific public key should (I read 3280 to say MUST, and I like that over
SHOULD) match the AKI in those certificates that the CA issues which are
verified using the said specific public key.
Santosh Chokhani
Orion Security Solutions, Inc.
1489 Chain Bridge Road, Suite 300
McLean, Virginia 22101
(703) 917-0060 Ext. 35(voice)
(703) 917-0260 (Fax)
chokhani@xxxxxxxxxxxx
Visit our Web site
http://www.orionsec.com