[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Authority Key Id.

Hi all!
I read about Authority Key Id. and found some strange things.
How I know, certificate is distinguishable from all others certificates
by couple { IssuerCA, SerialNumber }. But Authority Key Id. ( AKId ) 
contains authorityCertSerialNumber! Does it mean that I can separate CA 
certificate by couple {Issuer[of current end-user cert] + AltIssuerName,
SerialNumber(from AKId)} ? 

   AuthorityKeyIdentifier ::= SEQUENCE {
      keyIdentifier             [0] KeyIdentifier           OPTIONAL,
      authorityCertIssuer       [1] GeneralNames            OPTIONAL,
      authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }

How I understand it's wrong. Example:

CA1 { SN1, Issuer1, Issuer1, .. }       CA2 {SN2, Issuer2, Issuer2, ..}
		|					|
		|					|
		|					|
CA3:		V					V
	{ SN0, Issuer1, Subject3, .. }  {SN0, Issuer2, Subject3, .. }
				|
				|
				|
end-user			V
cert:		{ SN123, Issuer3, Subject123, ..., AKId{[2] SN0}}

How can end-user software understand which certificate is needed?
or Is authorityCertSerialNumber support field?

And another questions:
	Certificate contains IssuerName and Alt.IssuerName. Well
	then, for what purposes does AKId contain authorityCertIssuer?
	Is it alias name for IssuerCA? or Does it match with 
	{ IssuerName, Alt.IssuerName }?

What did I misunderstand?
Thanks a lot.

___________________________________________
Pavel Krylov 	Pavel.Krylov@trustworks.com