RE: AKI and SKI problem with RFC 3280?

["Peter Hesse" <pmhesse@xxxxxxxxxxxxxxxxxx>]

Santosh Chokhani wrote:
> My e-mail needs to be read in the context of the producers.  
> The CAs as producers need to ensure that the AKI and SKI chain.
> If the CAs do not do that, they are not compliant with 3280.  
> That means in order to comply with 3280 issuing CA needs to 
> honor the SKID requested by the subject CAs.

I think we're in violent agreement.  My main point was that although the
producer needs to ensure that AKID and SKID chain, cross-PKI
interoperability will cause cases in which the producer must choose
between two (or more) equally valid AKIDs to place in a subject
certificate.  Either of them will chain successfully and the producer
will be compliant; but as a result there will be valid paths where the
AKID and SKID will not chain, through no fault of the producer.

--Peter

+---------------------------------------------------------------+
| Peter Hesse                    pmhesse@xxxxxxxxxxxxxxxxxx     |
| Phone: (703)934-2031         Gemini Security Solutions, Inc.  |
| ICQ: 1942828                     www.geminisecurity.com       |
+---------------------------------------------------------------+
"Pay no attention to what the critics say; there has never been 
a statue set up in honor of a critic." --Jean Sibelius