On 2009-11-21 10:46 PST, Ian G wrote: > Hi Nelson, > > On 20/11/2009 20:57, Nelson B Bolyard wrote: >> On 2009-11-19 08:24 PST, Daniel Joscak wrote:
>>> Why correct authority key identifier (AKI) can not include both the key >>> ID and the issuer's issuer name and serial number. We have an authority >>> that adds to its certificates such AKI and till now I thought it is a >>> valid X.509 certificate according to RFC 5280. >> >> It is allowed, but it is almost always a huge mistake to do so. CAs that >> make this mistake typically have to abandon and completely replace their >> entire PKI (entire tree of issued certificates) when a CA cert expires and >> its serial number appears in the AKI of other subordinate certs. More than >> once I've seen entire corporate PKIs have to be replaced due to this error. >> That's why it's a "problematic practice". > > I don't see it here: > https://wiki.mozilla.org/CA:Problematic_Practices ? Well, let's ask Daniel. Daniel, Where did you find Mozilla documentation saying that AKI should not contain BOTH the key ID and the (issuer name, serial number) pair? I know I've written about that in this newsgroup many times before, and I thought it was one of the "problematic practices", but where did you find it? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto