[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKIX Path determination/construction/processing and AKIpointer hanging

To: ietf-pkix@xxxxxxx
Subject: Re: PKIX Path determination/construction/processing and AKIpointer hanging
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Fri, 5 Mar 1999 16:07:05 -0500 (EST)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

> From: "Peter Williams" <peterw@valicert.com>
>
> David,
> 
> You seem to have invented a technical term "continuous chain."
> 
> What is a "continuous chain"?
> 
> "  If a certificate path chosen by a relying party is not
>   a continuous chain between the certificate being validated
>   and a certificate trusted by the relying party, can one designate
>   otherwise normal processing of that chain as conforming to RFC 2459?"
> 
> Does a cert path which has hanging AKI backpointers constitute
> a continuous chain (all things about the chain or the RP's locally trusted
> authority
> being otherwise acceptable/valid to the relying party
> and 2459 descriptive formalisms)?


A (properly formed) continuous chain obeys the RFC 2459 Section 6.1
"path processing actions" item (a)(4): the subject and issuer names
chain correctly.

Section 4.2.1.1 says that conforming CAs MUST include the key identifier
field in the AKI extension, which MUST be non-critical.

Section 4.2.1.2 says that the SKI extension MUST appear in conforming
CA certificates, that the SKI value must match the value of AKI in the 
subordinate certificates, and that the SKI extension MUST be non-critical.


Now, what do you mean by a hanging AKI backpointer?  If a cert contains
an AKI extension and its parent cert does not contain an SKI extension
with the same value, then the CA is not in conformance with Section
4.2.1.x.  That is a serious error on the part of the CA, and calls into
question the CA's competence and attention to detail.  But if despite
the bad or missing information in the key identifier extensions, the RP
is able to find (perhaps by trial and error) an issuer cert which can
be used to verify the signature on the issued cert, then I agree that
an otherwise valid path may still be considered valid.

I am sorry, but I had trouble understanding what you meant by the
previous posting.  On the one hand you seemed to be discussing a
separation of "trust" and mechanical processing, and on the other hand
you seemed to be discussing the purely mechanical processing of key
identifier extensions.  In the latter case, my answer to the question
is yes, I agree.

Prev by Date: Re: PKIX Path determination/construction/processing andAKIpointer hanging
Next by Date: Re: Qualified Certificates draft - Country name
Previous by thread: Re: PKIX Path determination/construction/processing and AKIpointer hanging
Next by thread: Re: PKIX Path determination/construction/processing and AKIpointer hanging
Index(es):
- Date
- Thread