[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AKI and SKI problem with RFC 3280?

To: ietf-pkix@xxxxxxx
Subject: Re: AKI and SKI problem with RFC 3280?
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Wed, 22 Oct 2003 19:09:33 +0200
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6a) Gecko/20031004

Peter Hesse wrote:

Currently, there is no commonly accepted way to for a
cross-certifying CA to accept the desired SKID in a request for
cross-certification.

Why ? Do cross-certifying CA discards all extensions inside the request so that it's not possible to specify the SKID by including it as an extension inside the request ? But even when they do, then you need to specify all extensions to include by hand, so you could insert the correct SKID transported out of band, with the other info needed for that CA, wouldn't you ?

It would be interesting if I'm proven wrong, but it's seems to me cross-certifying doesn't happen everyday, and always involves some manual operations, so is there really a good reason why you can not do this customisation of the parameters ?

I just found a document from the pkiforum that endorses this method : http://www.pkiforum.org/pdfs/AKID_SKID1-af3.pdf It also reports that both U.S. Federal Bridge CA and CESG interoperability initiatives reported mismatches preventing proper certification path construction.

References:
- RE: AKI and SKI problem with RFC 3280?
  - From: Peter Hesse

Prev by Date: RE: The value of qualified certificates
Next by Date: Re: AKI and SKI problem with RFC 3280?
Previous by thread: Re: AKI and SKI problem with RFC 3280?
Next by thread: Re: AKI and SKI problem with RFC 3280?
Index(es):
- Date
- Thread