Re: PKIX Path determination/construction/processing andAKIpointer hanging

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

> From: "Peter Williams" <peterw@valicert.com>
> 
> Bob,
> 
> I like much of your thinking. It seems suited to the general Internet
> culture.
> 
> If a cert path has two certs (A & B) , and the second (B) has an authority
> key identifier pointer to its parent, can the chain be valid
> it the identified parent is specifically NOT A, according to PKIX?
> 
> This situation happens when, as per your example, unidirectional, unilateral
> cross-certification (without policy mapping, say) occurs into a
> hierarchical,
> policy-oriented PKI domain which has pre-established AKI backpointers.


Aha, now I understand the question.  But I still don't understand the
issue.

The second cert (B) contains a signature value which was generated
by its parent, call it C.  B contains an AKI pointing to C.

If the cert path A->B passes the signature verification, then A's
public key must be able to verify a signature created by C's private
key.  AFAIK, that can happen only if A knows C's private key.

Are you asking if RFC 2459 allows unilateral unidirectional
cross-certification by means of private key sharing?  Perhaps it
does, but the very idea seems imprudent, to say the least.