[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question about Part 1...
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 25 Sep 1997, Brian Korver wrote:
>
> Marc Branchaud writes:
> >
> > 4.2.1.1 Authority Key Identifier
> >
> > Does the authorityCertIssuer field indicate the CA that signed the
> > certificate, or the CA that issued a certificate for the CA that signed
> > the certificate (i.e. the CA's parent CA)?
>
> The later. For instance, here's a 3-level cert hierarchy (with a self-signed
> root):
>
> Serial: 1
> Issuer: Root CA
> Subject: Root CA
>
> Serial: 2
> Issuer: Root CA
> Subject: UnderRoot CA
> AuthorityCertIssuer: Root CA
> AuthorityCertSerial: 1
>
> Serial: 3
> Issuer: UnderRoot CA
> Subject: EndEntity
> AuthorityCertIssuer: Root CA
> AuthorityCertSerial: 2
>
I suggest that the draft clarify this. Including this example would be
most helpful. At the least, change the first sentence of the second
paragraph from
"The identification can be based on either the key identifier (the subject
key identifier in the issuer's certificate) or on the issuer name and
serial number."
to
"The identification information is obtained from the issuer's certificate
(i.e. the certificate for the issuer's key, signed by a parent CA). The
identification can be based on either the key identifier, or the
issuer's name and serial number, from that certificate."
Marc
+------------------------------------------------------------------------+
Marc Branchaud \/
Chief PKI Architect /\CERT SOFTWARE INC.
marcnarc@xcert.com PKI References page: www.xcert.com
604-640-6210x227 www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQB1AwUBNCro+lrdFXNdDxPlAQFoVQMAlEifx4CNRTstwol1Ah2eEDPQmW/VSJ9G
8pycvWTG4B00bJ/iYp7pxKjqJRJCMoTQ12TBr9Z5asX9Fa8Dx6dqkW3J/efMugKk
TNe/YbrBb4ONqoXjuai9zva5oSs9+qNt
=ih0J
-----END PGP SIGNATURE-----