[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authority Key Id.

To: Krylov Pavel <versed@xxxxxxxx>
Subject: Re: Authority Key Id.
From: Brian Korver <briank@xxxxxxxxxxxxxxx>
Date: Sun, 07 Feb 1999 20:23:00 -0800
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Reply-to: briank@xxxxxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

Krylov Pavel wrote:
> 
> Hi all!
> I read about Authority Key Id. and found some strange things.
> How I know, certificate is distinguishable from all others certificates
> by couple { IssuerCA, SerialNumber }. But Authority Key Id. ( AKId )
> contains authorityCertSerialNumber! Does it mean that I can separate CA
> certificate by couple {Issuer[of current end-user cert] + AltIssuerName,
> SerialNumber(from AKId)} ?

No.  AuthorityKeyIdentifier (in the non-KeyIdentifier usage) contains
the both the IssuerName and SerialNumber of the issuer certificate.  
That is, authorityCertIssuer and authorityCertSerialNumber must be
present as a pair.  The official ASN.1 looks something like:

AuthorityKeyIdentifier ::= SEQUENCE {
	keyIdentifier			[0] KeyIdentifier		OPTIONAL,
	authorityCertIssuer		[1] GeneralNames		OPTIONAL,
	authorityCertSerialNumber	[2] CertificateSerialNumber 	OPTIONAL }
	( WITH COMPONENTS 	{..., authorityCertIssuer PRESENT, 
					authorityCertSerialNumber PRESENT} |
	 WITH COMPONENTS	{..., authorityCertIssuer ABSENT,
					authorityCertSerialNumber ABSENT} )



> 
>    AuthorityKeyIdentifier ::= SEQUENCE {
>       keyIdentifier             [0] KeyIdentifier           OPTIONAL,
>       authorityCertIssuer       [1] GeneralNames            OPTIONAL,
>       authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
> 
> How I understand it's wrong. Example:
> 
> CA1 { SN1, Issuer1, Issuer1, .. }       CA2 {SN2, Issuer2, Issuer2, ..}
>                 |                                       |
>                 |                                       |
>                 |                                       |
> CA3:            V                                       V
>         { SN0, Issuer1, Subject3, .. }  {SN0, Issuer2, Subject3, .. }
>                                 |
>                                 |
>                                 |
> end-user                        V
> cert:           { SN123, Issuer3, Subject123, ..., AKId{[2] SN0}}

The end user cert would be:

                  { SN123, Issuer3, Subject123, ..., AKId{[1] Issuer1 [2] SN0}}


> 
> How can end-user software understand which certificate is needed?
> or Is authorityCertSerialNumber support field?
> 
> And another questions:
>         Certificate contains IssuerName and Alt.IssuerName. Well
>         then, for what purposes does AKId contain authorityCertIssuer?
>         Is it alias name for IssuerCA? or Does it match with
>         { IssuerName, Alt.IssuerName }?
> 
> What did I misunderstand?
> Thanks a lot.
> 
> ___________________________________________
> Pavel Krylov    Pavel.Krylov@trustworks.com

References:
- Authority Key Id.
  - From: Krylov Pavel

Prev by Date: RE: Finding PKIX Servers!
Next by Date: Re: Finding PKIX Servers!
Previous by thread: Authority Key Id.
Next by thread: Usage of CRL Issuing Distribution Point
Index(es):
- Date
- Thread