[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: authorityKeyIdentifier and subjectkeyIdentifier inplement in the real case or model

To: "'u8142010'" <u8142010@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: authorityKeyIdentifier and subjectkeyIdentifier inplement in the real case or model
From: "Jim Schaad (Exchange)" <jimsch@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 4 Jun 1999 11:17:11 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

I can really only answer this question for how Microsoft is currently doing
this, but atleast some people in Microsoft have bought into SKI/AKI very big
time.

The Microsoft Certificate Servers in Win2000 will put AKI and SKI values
into all certificates issued by default.  The Microsoft code does not appear
to match either of the RFC algorithms for computing the SKI value, but is
all internally consistent about how it does that computation.  I believe
that you can actually put an SKI value into a certificate requestion and the
server will honor it.

The chaining code used on the new Microsoft products (IE 5.0 and Win2000
atleast) is very strong into doing chaining with AKI values, to the extent
that it will ignore all Issuer/Subject chaining if the AKI extension exists
in a certificate.  I personally have yet to decide if this is the correct
behavior, but that is not one of the areas over which I have a large amount
of control.  

So,
-- AKI and SKI are implemented in the real world.
-- If a certificate has an AKI, but the corresponding SKI is missing there
may be problems in doing the chaining for some products. (I think this is a
fault in the products and they should be falling back to name chaining if no
matches are found.)
-- If both are missing then everybody falls back to the good old name
chaining code.

jim


-----Original Message-----
From: u8142010 [mailto:u8142010@ms2.seeder.net]
Sent: Friday, June 04, 1999 2:59 AM
To: ietf-pkix@imc.org
Subject: authorityKeyIdentifier and subjectkeyIdentifier inplement in
the real case or model


Hi:
I read the X.509 V3 document and felt some confusing with
authorityKeyIdentifier and subjectKeyIdentifier.
Does authorityKeyIdentifier and subjectkeyIdentifier inplement in the
real case or model, and how to implement the flow?
If without subjectkeyIdentifier, will verification of client's certs be
confused or fail? And in what situation it happens?

Best Regards,
James L.

Prev by Date: Summary, was Re: Every time ..., was Re: General formula
Next by Date: DoD X.509 Certificate Policy
Previous by thread: Summary, was Re: Every time ..., was Re: General formula
Next by thread: Fw: authorityKeyIdentifier and subjectkeyIdentifier inplement in the real case or model
Index(es):
- Date
- Thread