[Cscwg-public] FW: Mistake in CSBR

Thu, 01 Aug 2024 13:36:58 -0700 

 

Forwarding this to the public list with Viktor’s permission.  Is there any 
discussion? 

I can add it to the agenda for the next call.

 

 

Dean Coclin

CSCWG Chair

 

From: Varga Viktor  
Sent: Thursday, August 1, 2024 4:15 AM
To: Dean Coclin  
Subject: Mistake in CSBR 

 

Dear Dean,

 

I think I found a mistake in the CSBR.

 

Neither in the chapter 7.1.2.1 Root CA Certificate nor in the chapter 7.1.2.2 
Subordinate CA Certificate can we found section for the subjectKeyIdentifier 
(later SKI) extension.

But also 7.1.2.4 explicitly denies to use any other extension than listed in 
these chapter.

But the RFC 5280 mandates this. (I added the important chapters to the end of 
mail)

 

May I ask for correction to add the SKI to the requirements? 
This extension shall be added to 7.1.2.1 and 7.1.2.2 and optionally in 7.1.2.3.

 

Also I would like to ask: 

Can we agree in that, if we are issuing CA certificate until the correction, a 
CA certificate with SKI can be accepted as good because it fits in the term: 
“unless the CA is aware of a reason”.

 

Kind regards,

Viktor

 

Viktor Varga
PKI Architect & Trust Services Manager



 

 

CSBR

7.1.2.4 All Certificates 

All other fields and extensions MUST be set in accordance with RFC 5280. The CA 
SHALL NOT issue a Certificate that contains a keyUsage flag, extKeyUsage value, 
Certificate extension, or other data not specified in Section 7.1.2.1, Section 
7.1.2.2, or Section 7.1.2.3 unless the CA is aware of a reason for including 
the data in the Certificate.

 

RFC 5280

4.2.1.2.  Subject Key Identifier

 

   The subject key identifier extension provides a means of identifying

   certificates that contain a particular public key.

 

   To facilitate certification path construction, this extension MUST

   appear in all conforming CA certificates, that is, all certificates

   including the basic constraints extension (Section 4.2.1.9) where the

   value of cA is TRUE.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Cscwg-public mailing list
[email protected]
https://lists.cabforum.org/mailman/listinfo/cscwg-public

Reply via email to