Re: [IETF-PKIX] PKIX questions (DH key and Key Identifier)

["Anil R. Gangolli" <gangolli@xxxxxxxxxxxxxxxxxx>]

> 2. My other question is partly related to the above discussion, but
> regarding the algorithm for calculation of key identifier extensions.
> Ipki-part1 describes only in one place the way of calculating the value of
> key identifier. It is in section 4.2.1.2:
>
>    "The subject key identifier extension provides a means of identifying
>    the particular public key used in an application.  Where a reference
>    to a public key identifier is needed (as with an Authority Key
>    Identifier) and one is not included in the associated certificate, a
>    SHA-1 hash of the subject public key shall be used.  The hash shall
>    be calculated over the value (excluding tag and length) of the
>    subject public key field in the certificate.  This extension should
>    be marked non-critical."

Unfortunately "subject public key field" here is ambiguous.  I think this should
be clarified.  The implementations I know of that already do this use the
hash over the DER encoding of the whole SubjectPublicKeyInfo.  I think this is
the best interpretation as it includes the algorithm info as well as the key
in the hash.

--a.

--
Anil R. Gangolli
Structured Arts Computing Corp.
http://www.StructuredArts.com
mailto:gangolli@StructuredArts.com