Forwarding this to the public list with Viktor’s permission. Is there any discussion?
I can add it to the agenda for the next call. Dean Coclin CSCWG Chair From: Varga Viktor Sent: Thursday, August 1, 2024 4:15 AM To: Dean Coclin Subject: Mistake in CSBR Dear Dean, I think I found a mistake in the CSBR. Neither in the chapter 7.1.2.1 Root CA Certificate nor in the chapter 7.1.2.2 Subordinate CA Certificate can we found section for the subjectKeyIdentifier (later SKI) extension. But also 7.1.2.4 explicitly denies to use any other extension than listed in these chapter. But the RFC 5280 mandates this. (I added the important chapters to the end of mail) May I ask for correction to add the SKI to the requirements? This extension shall be added to 7.1.2.1 and 7.1.2.2 and optionally in 7.1.2.3. Also I would like to ask: Can we agree in that, if we are issuing CA certificate until the correction, a CA certificate with SKI can be accepted as good because it fits in the term: “unless the CA is aware of a reason”. Kind regards, Viktor Viktor Varga PKI Architect & Trust Services Manager CSBR 7.1.2.4 All Certificates All other fields and extensions MUST be set in accordance with RFC 5280. The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extKeyUsage value, Certificate extension, or other data not specified in Section 7.1.2.1, Section 7.1.2.2, or Section 7.1.2.3 unless the CA is aware of a reason for including the data in the Certificate. RFC 5280 4.2.1.2. Subject Key Identifier The subject key identifier extension provides a means of identifying certificates that contain a particular public key. To facilitate certification path construction, this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (Section 4.2.1.9) where the value of cA is TRUE.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Cscwg-public mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/cscwg-public
