-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/25/2014 09:59 AM, Erwann Abalea wrote: > Le vendredi 25 avril 2014 13:46:51 UTC+2, Martin Paljak a écrit : >> >> What is the rationale for this: >> >> 4. Mozilla::pkix performs chaining based on issuer name alone, >> and does not require that issuer's subject key match the >> authority key info (AKI) extension in the certificate. Classic >> verification enforces the AKI restriction. > > AKI is only a helper for certificate path building. It's mandatory > for CAs to issue certificates with matching keyIdentifiers > (issued.AKI.keyIdentifier = issuer.SKI), but it's not mandatory > for relying parties to verify that the values match.
That doesn't seem like enough of a justification to me. It may not be mandatory, but please explain why it is not *necessary* (i.e. why no security guarantees depend on it). zw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCAAGBQJTWorRAAoJEJH8wytnaapkkO8QAI4IrF43KkSBzkN6YcZ6gvUu 2xqzkZGSJJDHJkrJJCIEAlcpLPWlXfrhCuhhr5+tXQ6hgKm+i5HCCsE+vkd9bqHx FQO+Qg/pG+Y1UWfJ57/0FuUwffl42ox+6zXeQPSEVDmB3nXaVxpJuLgIQpU6Pvp2 E/pc8E6FHJ1Ua6SHqSNFYj8qirtu8wnKu2ubhnbYfNJKRqgLjufe6bAPjunnwj/5 TbABPSkgll9drHtc5KzNyG6zWlboVdyNLZEVOkzsmXAusy0fRYiqK5U05BexGPdZ m7lsfmj78hvSe1Un+C6h4scvi9MLs851HBiJopAV0rltvZBryZZxE0nmYswZp3bo GrHylX/Yxx5AddQl8A3BDR5HfI/xSFej0VgAhSChNmkSVLROAFpSlK0IuYfhtxd6 OkxfDhBDgCVY/tB89kXmu0vzW9xwjsgmFQ0vvHHVJwdOfJXs8Cky1LWextIdUc5y zEmiM5pfd/GRutTHKjK7dWNqj1mpK6uJbM8QIG0tMOcpJ41Ja8rXYhKem9LIBjf6 s2j19puGw0Vgi9mmSfqrRL4IiW677m3vizXHMgeFkyKwMkJHRNU7IVN+8N+KTQ7n flhjXTf/A8OJWpcQWIdiQrx73ul/jxGoROsQ+HkcfWhTQWa/ZHdPxd2ivyl3xGc0 yxo93+ET5uXRGoY24EVx =dTnD -----END PGP SIGNATURE----- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto