[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: AKI and AuthorityCertIssuer

To: "'briank@xxxxxxxxxxxxxxx'" <briank@xxxxxxxxxxxxxxx>, wpolk@xxxxxxxx
Subject: RE: AKI and AuthorityCertIssuer
From: "Wang, John" <John.Wang@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Dec 1998 15:13:34 -0500
Cc: "IETF PKIX (E-mail)" <ietf-pkix@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

Brian's clarification would be fine, resulting in:

"...or on the issuer name and serial number of the issuer's
certificate (the CA certificate that issued the certificate
that the AKI extension appears in)."

or

"...or on the issuer name and serial number of the issuer's
certificate (the CA certificate that issued the certificate
containing this extension)."

John

-----Original Message-----
From: Brian Korver [mailto:briank@CS.Stanford.EDU]
Sent: Tuesday, December 22, 1998 12:35 AM
To: Wang, John
Cc: wpolk@nist.gov; IETF PKIX (E-mail)
Subject: Re: AKI and AuthorityCertIssuer


"Wang, John" wrote:
> 
> Tim,
> 
> I believe PKIX Part 1 is a bit misleading when describing AKI's
> AuthorityCertIssuer. The text of the extension description
> states:
> 
> || The identification may be based on either the key identifier
> || (the subject key identifier in the issuer's certificate) or on
> || the issuer name and serial number.
> 
> The ASN.1 definition farther down in the standard lists the
> components as:
> 
> || authorityCertIssuer       [1] GeneralNames            OPTIONAL,
> || authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
> 
> There has been a lot of confusion as to whether "issuer name" is
> really the "issuer name" or the "issuer's issuer name." I believe
> it has to be the latter case because the certificate already has the
> issuer name so adding that to AKI provides no additional value.
> Adding "issuer's issuer name" and "issuer serial number" however,
> provides the missing link to the issuing certificate.

You are correct, it is the "issuer's issuer name".

> 
> I would like to see the sentence restated similar to:
> 
> || The identification may be based on either the key identifier
> || (the subject key identifier in the issuer's certificate) or on
> || the issuer's issuer name and issuer's serial number.

How about "...the issuer name and serial number of the issuer's
certificate" instead?  And perhaps with a clarifying comment
"(the CA certficate that issued the certificate that the AKI
extention appears in)"?



> 
> I've chosen "issuer's issuer name" because "authorityCertIssuer" seems
> to lead to some confusion even though authority means the cert that
> issued the cert with the AKI extension. Thus, "authorityCertIssuer"
> should mean the signing CA's issuer.
> 
> One problem with the current definition is that using just "issuer
> name" instead of "issuer's issuer name" works when verifying against
> certificates issued directly off self-signed CA where IDN = SDN. Thus,
> implementors that only test against self-signed CA's may conclude
> they have a proper implementation, when in fact, it only works by
> coincidence.
> 
> I have confirmed with Steve Kent that "issuer's issuer name" is what
> is intended for the authorityCertIssuer field.
> 
> Regards,
> 
> John
> 
> John Wang              | GTE Internetworking      | Tel: 781-455-5896
> Technical Specialist   | 77 'A' Street, MS 03-41  | Fax: 781-455-4015
> CyberTrust Solutions   | Needham, MA  02494-2892  |
> john.wang@cybertrust.gte.com

Prev by Date: Re: On Hold
Next by Date: RE: CMC Comments?
Previous by thread: Re: AKI and AuthorityCertIssuer
Next by thread: 1999 WET-ICE Enterprise Security Workshop
Index(es):
- Date
- Thread