[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AKI and SKI problem with RFC 3280?

To: aarsenau@xxxxxxx, ietf-pkix@xxxxxxx, pgut001@xxxxxxxxxxxxxxxxx, stefans@xxxxxxxxxxxxx
Subject: RE: AKI and SKI problem with RFC 3280?
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Wed, 22 Oct 2003 20:26:17 +1300
Cc: housley@xxxxxxxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"Al Arsenault" <aarsenau@xxxxxxx> writes:

>Okay, it's only a SHOULD, not a MUST, but the scenario you reference below
>only comes in to play if I signed the CMS message using my CA cert, not my
>end-entity cert.
>
>Got an example where this is relevant if the sKID's of two different CA certs
>are the same?  

My CMS example from earlier used with SCEP.

In any case something like this should never be allowed to happen as a matter
of basic protocol design.  Creating a "unique" key ID and then specifically
telling people they can use non-unique IDs is just asking for trouble.

Peter.

Follow-Ups:
- RE: AKI and SKI problem with RFC 3280?
  - From: Stephen Kent
- RE: AKI and SKI problem with RFC 3280?
  - From: Al Arsenault

Prev by Date: RE: AKI and SKI problem with RFC 3280?
Next by Date: Re: AKI and SKI problem with RFC 3280?
Previous by thread: RE: AKI and SKI problem with RFC 3280?
Next by thread: RE: AKI and SKI problem with RFC 3280?
Index(es):
- Date
- Thread