[EMAIL PROTECTED] said:
> A standard property of certificates is that the issuer name and serial
> number must be unique.
> The Authority Key Identifier extension is used as a means of uniquely
> identifying the issuing authority. One way it does this is to use the
> issuer name and serial number of the issuing authority.
> The subject name of the issuer certificate is already available in the
> issuer name of the subject certificate. If merely used this then it
> would be duplicating information.
I'm sorry but I cannot get your point. I agree on that the issuer name plus
serial number must be unique. I also agree on that the subject name of the
issuer certificate is already in the issuer name of the subject
certificate and there is no need to gert it again.
What I cannot get is why the name inside the Authority key identifier of
the candidate subject must match the issuer of the issuer certificate.
The certificates we are trying to verify are also generated using
openSSL and they contain (in the Authority key identifier) the name
of their issuer (not the one of the issuer for their issuer's cert as
you seem to suggest).
So there seems to be an error either in the extension generation functions
(I don`t think so) or in the verification functions.
Please, would you have a look on the files and cert paths I attached to
my previous message and tell me why (without the patch I propose) the
verification fails?
Regards,
--
"Esta vez no fallaremos, Doctor Infierno"
Diego R. Lopez
[EMAIL PROTECTED]
RedIRIS
The Spanish NREN
Tl: +34 955 056 621
-----------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
