[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AKI and SKI problem with RFC 3280?
Peter Hesse wrote:
+------------------+ +--------------------+
| Allied Pilots | | Boeing Root |
| Association Root | | |
| | | SKID: Q |
| SKID: A | | |
+------------------+ +--------------------+
\ /
\ /
V V
=================================================
| +-------------------+ +-------------------+ |
| | American Airlines | | American Airlines | |
| | | | | |
| | SN: 12345 | | SN: 87654 | |
| | SKID: Z | | SKID: Z | |
| | AKID: A | | AKID: Q | |
| +-------------------+ +-------------------+ |
=================================================
|
|
V
+-------------------+
| Joe Pilot |
| |
| SKID: W |
| AKID: "American |
| Airlines, |
| 12345" |
+-------------------+
This AKID is wrong. It should be "Allied Pilots Association Root, 12345".
This type of AKID is a issuer name/serial pair, this means pointing
amongst the certificate emitted by ca IssuerName to the one that has the
serial SN.
American Airlines certificate is the certificate SN:12345 amongst those
issued by "Allied Pilots Association Root"
You certainly know about this, but this particular misinterpretation of
AKID tends to be a recurrent problem, so I feel better not to leave it
uncorrected.