[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fw: authorityKeyIdentifier and subjectkeyIdentifier inplement in the real case or model

To: <ietf-pkix@xxxxxxx>
Subject: Fw: authorityKeyIdentifier and subjectkeyIdentifier inplement in the real case or model
From: u8142010@xxxxxxxxxxxxxx
Date: Sat, 5 Jun 1999 08:34:50 +0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

What attributes of  athorityKeyIdentifier do you put, keyIdentifier,  or
authorityCertIssuer and authorityCertSerialNumber?
In the end user's certificates, does subjectKeyIndetifier have its purpose
or function to support the cert verification or trading security? In waht
situation will make the subjectKeyIdentifier useful?

Rgs,

Jame Lam.
----- Original Message -----
From: Jim Schaad (Exchange) <jimsch@EXCHANGE.MICROSOFT.com>
To: 'u8142010' <u8142010@ms2.seeder.net>; <ietf-pkix@imc.org>
Sent: Saturday, June 05, 1999 2:17 AM
Subject: RE: authorityKeyIdentifier and subjectkeyIdentifier inplement in
the real case or model


> I can really only answer this question for how Microsoft is currently
doing
> this, but atleast some people in Microsoft have bought into SKI/AKI very
big
> time.
>
> The Microsoft Certificate Servers in Win2000 will put AKI and SKI values
> into all certificates issued by default.  The Microsoft code does not
appear
> to match either of the RFC algorithms for computing the SKI value, but is
> all internally consistent about how it does that computation.  I believe
> that you can actually put an SKI value into a certificate requestion and
the
> server will honor it.
>
> The chaining code used on the new Microsoft products (IE 5.0 and Win2000
> atleast) is very strong into doing chaining with AKI values, to the extent
> that it will ignore all Issuer/Subject chaining if the AKI extension
exists
> in a certificate.  I personally have yet to decide if this is the correct
> behavior, but that is not one of the areas over which I have a large
amount
> of control.
>
> So,
> -- AKI and SKI are implemented in the real world.
> -- If a certificate has an AKI, but the corresponding SKI is missing there
> may be problems in doing the chaining for some products. (I think this is
a
> fault in the products and they should be falling back to name chaining if
no
> matches are found.)
> -- If both are missing then everybody falls back to the good old name
> chaining code.
>
> jim
>
>
> -----Original Message-----
> From: u8142010 [mailto:u8142010@ms2.seeder.net]
> Sent: Friday, June 04, 1999 2:59 AM
> To: ietf-pkix@imc.org
> Subject: authorityKeyIdentifier and subjectkeyIdentifier inplement in
> the real case or model
>
>
> Hi:
> I read the X.509 V3 document and felt some confusing with
> authorityKeyIdentifier and subjectKeyIdentifier.
> Does authorityKeyIdentifier and subjectkeyIdentifier inplement in the
> real case or model, and how to implement the flow?
> If without subjectkeyIdentifier, will verification of client's certs be
> confused or fail? And in what situation it happens?
>
> Best Regards,
> James L.

Prev by Date: Re: Summary, was Re: Every time ..., was Re: General formula
Next by Date: Re: Summary, was Re: Every time ..., was Re: General formula
Previous by thread: RE: authorityKeyIdentifier and subjectkeyIdentifier inplement in the real case or model
Next by thread: DoD X.509 Certificate Policy
Index(es):
- Date
- Thread