[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AKI and AuthorityCertIssuer

To: wpolk@xxxxxxxx
Subject: AKI and AuthorityCertIssuer
From: "Wang, John" <John.Wang@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Dec 1998 18:56:45 -0500
Cc: "IETF PKIX (E-mail)" <ietf-pkix@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

Tim,

I believe PKIX Part 1 is a bit misleading when describing AKI's
AuthorityCertIssuer. The text of the extension description
states:

|| The identification may be based on either the key identifier
|| (the subject key identifier in the issuer's certificate) or on
|| the issuer name and serial number.

The ASN.1 definition farther down in the standard lists the
components as:

|| authorityCertIssuer       [1] GeneralNames            OPTIONAL,
|| authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }

There has been a lot of confusion as to whether "issuer name" is
really the "issuer name" or the "issuer's issuer name." I believe
it has to be the latter case because the certificate already has the
issuer name so adding that to AKI provides no additional value.
Adding "issuer's issuer name" and "issuer serial number" however,
provides the missing link to the issuing certificate.

I would like to see the sentence restated similar to:

|| The identification may be based on either the key identifier
|| (the subject key identifier in the issuer's certificate) or on
|| the issuer's issuer name and issuer's serial number.

I've chosen "issuer's issuer name" because "authorityCertIssuer" seems
to lead to some confusion even though authority means the cert that
issued the cert with the AKI extension. Thus, "authorityCertIssuer"
should mean the signing CA's issuer.

One problem with the current definition is that using just "issuer
name" instead of "issuer's issuer name" works when verifying against
certificates issued directly off self-signed CA where IDN = SDN. Thus,
implementors that only test against self-signed CA's may conclude
they have a proper implementation, when in fact, it only works by
coincidence.

I have confirmed with Steve Kent that "issuer's issuer name" is what
is intended for the authorityCertIssuer field.

Regards,

John


John Wang              | GTE Internetworking      | Tel: 781-455-5896
Technical Specialist   | 77 'A' Street, MS 03-41  | Fax: 781-455-4015
CyberTrust Solutions   | Needham, MA  02494-2892  |
john.wang@cybertrust.gte.com

Follow-Ups:
- Re: AKI and AuthorityCertIssuer
  - From: Brian Korver

Prev by Date: Key Identifier
Next by Date: Re: AKI and AuthorityCertIssuer
Previous by thread: Key Identifier
Next by thread: Re: AKI and AuthorityCertIssuer
Index(es):
- Date
- Thread