On Mon, Feb 26, 2024 at 4:36 AM Carl Wallace <c...@redhoundsoftware.com> wrote:
> Two comments on the third paragraph of section 4.1: > > - The addition of section identifiers for the references makes the > sentences harder to read. Maybe wrapping the section identifiers and > reference in parentheses. > Thanks, this feedback is appreciated. I've gone back and forth a lot on how best to do these references, and tried a bunch of different things, and this was my favorite phrasing so far. Unfortunately putting them in parentheses causes the resulting sentence to not read in plain English, unless I'm misunderstanding your suggestion? > - The preparation of the URI uses the keyIdentifier field of > AuthorityKeyIdentifier. That field is optional. What should occur if it is > absent (or if AKID is absent)? Given 5280 requires uniqueness for issuer > name and serial and the issuer field is not optional, would the issuer > field make for a better target than AKID? If this mechanism only applies to > certs that conform to a profile that requires presence of key identifier in > the AKID extension, state that up front. > This is a very interesting point. RFC 5280 requires both that the AKID extension be present and that the keyIdentifier field be present within it (Section 4.2.1.1 <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1>: "The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction."). So it's not obvious to me that the issuer name + serial uniqueness is any *more* required than the existence of the keyIdentifier field. Do other members of this list think that using some form of the Issuer Name bytes would be better than using the keyIdentifier? Thanks again, Aaron
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme