[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question about Part 1...

To: Marc Branchaud <marcnarc@xxxxxxxxx>
Subject: Re: Question about Part 1...
From: "Anil R. Gangolli" <gangolli@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Sep 1997 18:10:11 -0700
Cc: ietf-pkix@xxxxxxxxxx
Organization: Structured Arts Consulting Group
References: <>
Reply-to: gangolli@xxxxxxxxxxxxxxxxxx

Marc Branchaud wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> On Thu, 25 Sep 1997, Brian Korver wrote:
> >
> > Marc Branchaud writes:
> > >
> > > 4.2.1.1 Authority Key Identifier
> > >
> > > Does the authorityCertIssuer field indicate the CA that signed the
> > > certificate, or the CA that issued a certificate for the CA that
> signed
> > > the certificate (i.e. the CA's parent CA)?
> >
> > The later.  For instance, here's a 3-level cert hierarchy (with a
> self-signed
> > root):
> >
> >     Serial:   1
> >     Issuer:   Root CA
> >     Subject:  Root CA
> >
> >     Serial:   2
> >     Issuer:   Root CA
> >     Subject:  UnderRoot CA
> >     AuthorityCertIssuer:  Root CA
> >     AuthorityCertSerial:  1
> >
> >     Serial:   3
> >     Issuer:   UnderRoot CA
> >     Subject:  EndEntity
> >     AuthorityCertIssuer:  Root CA
> >     AuthorityCertSerial:  2
> >
> 
> I suggest that the draft clarify this.  Including this example would
> be
> most helpful.  At the least, change the first sentence of the second
> paragraph from
> 
> "The identification can be based on either the key identifier (the
> subject
> key identifier in the issuer's certificate) or on the issuer name and
> serial number."
> 
> to
> 
> "The identification information is obtained from the issuer's
> certificate
> (i.e. the certificate for the issuer's key, signed by a parent CA).
> The
> identification can be based on either the key identifier, or the
> issuer's name and serial number, from that certificate."
> 
>                 Marc

Yes, this needs careful clarification.  It may be helpful
to clarify how it is intended to be used in chain formation
together matching either the (explicit or implicit) subject key 
identifier in the immediate parent cert or matching the
issuer and serial number in the immediate parent cert.

In addition, one might want to note that the use
of the authorityCertIssuer and authorityCertSerial fields
rather than the keyIdentifier field precludes later
re-rooting (or extension upward) of an existing CA 
hierarchy, which is often desirable.


-- 
Anil R. Gangolli
Structured Arts Consulting Group
mailto:gangolli@StructuredArts.com
http://www.StructuredArts.com

References:
- Re: Question about Part 1...
  - From: Marc Branchaud

Prev by Date: Re: Question about Part 1...
Next by Date: RE: Comments about Part 2
Previous by thread: Re: Question about Part 1...
Next by thread: I-D ACTION:draft-ietf-pkix-opp-ftp-http-00.txt
Index(es):
- Date
- Thread