Well Microsoft support tells me it's openssl's fault, and you tell me it's microsoft's ? It's dead end, what am I supposed to tell my clients ? Well... altough PKIX recommends the use of the authorityKeyId, and that the French Government says you must to have this extension, to be certified, I'll have to remove this extension ?
To make everybody happy let's read the RFC http://www.ietf.org/rfc/rfc2459.txt 4.2.1.1 Authority Key Identifier ...The identification may be based on either the key identifier (the subject key identifier in the issuer's certificate) or on the issuer name and serial number. 4.2.1.2 Subject Key Identifier ...The value of the subject key identifier MUST be the value placed in the key identifier field of the Authority Key Identifier extension (see sec. 4.2.1.1) of certificates issued by the subject of this certificate. Well the least that we could say, it is crystal clear :). it's incomprehensible. I'm writting to the authors to see what they say about it, becaus MS has another comprehension than yours. ----- Original Message ----- From: "Richard Levitte - VMS Whacker via RT" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, November 01, 2002 12:23 AM Subject: Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ? > > In message <[EMAIL PROTECTED]> on Thu, 31 Oct 2002 23:19:17 +0100 (MET), "Frédéric Giudicelli via RT" <[EMAIL PROTECTED]> said: > > rt> All I know, is that MS Windows 2000 SP3 consider the chain broken, > rt> it links the EndUser Cert with the ROOT CERT, and since the issuer > rt> of the EndUser Cert is not ROOT CA, badaboum, unusable > rt> certificate. > > In that case, I think Windows has it wrong. > > rt> When authorityKeyId=keyid, it works, when authorityKeyId=keyid, > rt> issuer -> doesn't work. > > OK, listen up: It's not the combination keyID+issuer that should be > looked up, it's the combination issuer+serial (look at the > certificate, there should be a serial number there as well). If > Windows breaks on such values, it's broken. > > rt> I'm sorry but when we talk about the issuer of the EndUser Cert, > rt> we talk about INTERMEDIATE CA, not ROOT CA. > > Again, listen up: The intermediate CA certificate can be refered to by > subject or by rootsubject+serial (that is, the serial number that you > can see in the intermediate CA certificate). It's the latter lookup > method that should be used when the authorityKeyIdentifier is used. > > rt> That's a non sense. > > No, you just keep ignoring the serial number, and apparently, so does > Windows. > > -- > Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] > Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 > \ SWEDEN \ or +46-708-26 53 44 > Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] > Member of the OpenSSL development team: http://www.openssl.org/ > > Unsolicited commercial email is subject to an archival fee of $400. > See <http://www.stacken.kth.se/~levitte/mail/> for more info. > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
