[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AKI and SKI problem with RFC 3280?

To: ietf-pkix@xxxxxxx
Subject: Re: AKI and SKI problem with RFC 3280?
From: Michael Ströder <michael@xxxxxxxxxxxx>
Date: Wed, 22 Oct 2003 10:15:52 +0200
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Steve Hanna wrote:

A decent MUA would understand that there may be more
than one cert with the same SKI. AKI/SKI is just a
hint.

> [..]

Note also that AKI/SKI chaining SHOULD NOT be checked
during path validation. To be more explicit, it's
NOT true that the SKI of a CA certificate must match
the AKI of a certificate signed by that CA.


Reading this discussion I ask myself:
Is there any good reason to set AKI/SKI at all?
Is it worth for anything?
Or is it just YAPEB [1]?

Ciao, Michael.

[1] yet another PKIX extension bloat

Follow-Ups:
- RE: AKI and SKI problem with RFC 3280?
  - From: Peter Hesse
- Re: AKI and SKI problem with RFC 3280?
  - From: Stephen Kent

References:
- RE: AKI and SKI problem with RFC 3280?
  - From: Peter Gutmann
- Re: AKI and SKI problem with RFC 3280?
  - From: Steve Hanna

Prev by Date: RE: AKI and SKI problem with RFC 3280?
Next by Date: RE: AKI and SKI problem with RFC 3280?
Previous by thread: Re: AKI and SKI problem with RFC 3280?
Next by thread: Re: AKI and SKI problem with RFC 3280?
Index(es):
- Date
- Thread