[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AKI and AuthorityCertIssuer

To: "Wang, John" <John.Wang@xxxxxxxxxxxxxxxxxx>
Subject: Re: AKI and AuthorityCertIssuer
From: Brian Korver <briank@xxxxxxxxxxxxxxx>
Date: Mon, 21 Dec 1998 21:35:09 -0800
Cc: wpolk@xxxxxxxx, "IETF PKIX (E-mail)" <ietf-pkix@xxxxxxx>
References: <>
Reply-to: briank@xxxxxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

"Wang, John" wrote:
> 
> Tim,
> 
> I believe PKIX Part 1 is a bit misleading when describing AKI's
> AuthorityCertIssuer. The text of the extension description
> states:
> 
> || The identification may be based on either the key identifier
> || (the subject key identifier in the issuer's certificate) or on
> || the issuer name and serial number.
> 
> The ASN.1 definition farther down in the standard lists the
> components as:
> 
> || authorityCertIssuer       [1] GeneralNames            OPTIONAL,
> || authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
> 
> There has been a lot of confusion as to whether "issuer name" is
> really the "issuer name" or the "issuer's issuer name." I believe
> it has to be the latter case because the certificate already has the
> issuer name so adding that to AKI provides no additional value.
> Adding "issuer's issuer name" and "issuer serial number" however,
> provides the missing link to the issuing certificate.

You are correct, it is the "issuer's issuer name".

> 
> I would like to see the sentence restated similar to:
> 
> || The identification may be based on either the key identifier
> || (the subject key identifier in the issuer's certificate) or on
> || the issuer's issuer name and issuer's serial number.

How about "...the issuer name and serial number of the issuer's
certificate" instead?  And perhaps with a clarifying comment
"(the CA certficate that issued the certificate that the AKI
extention appears in)"?



> 
> I've chosen "issuer's issuer name" because "authorityCertIssuer" seems
> to lead to some confusion even though authority means the cert that
> issued the cert with the AKI extension. Thus, "authorityCertIssuer"
> should mean the signing CA's issuer.
> 
> One problem with the current definition is that using just "issuer
> name" instead of "issuer's issuer name" works when verifying against
> certificates issued directly off self-signed CA where IDN = SDN. Thus,
> implementors that only test against self-signed CA's may conclude
> they have a proper implementation, when in fact, it only works by
> coincidence.
> 
> I have confirmed with Steve Kent that "issuer's issuer name" is what
> is intended for the authorityCertIssuer field.
> 
> Regards,
> 
> John
> 
> John Wang              | GTE Internetworking      | Tel: 781-455-5896
> Technical Specialist   | 77 'A' Street, MS 03-41  | Fax: 781-455-4015
> CyberTrust Solutions   | Needham, MA  02494-2892  |
> john.wang@cybertrust.gte.com

References:
- AKI and AuthorityCertIssuer
  - From: Wang, John

Prev by Date: AKI and AuthorityCertIssuer
Next by Date: 1999 WET-ICE Enterprise Security Workshop
Previous by thread: AKI and AuthorityCertIssuer
Next by thread: RE: AKI and AuthorityCertIssuer
Index(es):
- Date
- Thread