Well IETF didn't answer... I'm guessing that M$ is wrong, that would not be the first time, howerver the real question now, is how do you contact M$, the report the bug, the guy I was in contact with, is: "krish shenoy[MS]" <[EMAIL PROTECTED]> He claims that M$ is right, I guess I'll let you big guys convince them ! Cheers !
----- Original Message ----- From: "Frédéric Giudicelli" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, November 01, 2002 12:50 AM Subject: Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ? > Well Microsoft support tells me it's openssl's fault, and you tell me it's > microsoft's ? > It's dead end, what am I supposed to tell my clients ? > Well... altough PKIX recommends the use of the authorityKeyId, and that the > French Government says you must to have this extension, to be certified, > I'll have to remove this extension ? > > To make everybody happy let's read the RFC > > http://www.ietf.org/rfc/rfc2459.txt > > 4.2.1.1 Authority Key Identifier > > ...The identification may be based on either the > key identifier (the subject key identifier in the issuer's > certificate) or on the issuer name and serial number. > > 4.2.1.2 Subject Key Identifier > > ...The value of the subject key identifier MUST be the value > placed in the key identifier field of the Authority Key Identifier > extension (see sec. 4.2.1.1) of certificates issued by the subject of > this certificate. > > Well the least that we could say, it is crystal clear :). > it's incomprehensible. > I'm writting to the authors to see what they say about it, becaus MS has > another comprehension than yours. > > ----- Original Message ----- > From: "Richard Levitte - VMS Whacker via RT" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Friday, November 01, 2002 12:23 AM > Subject: Re: [openssl.org #323] Bug in "authorityKeyIdentifier" extension ? > > > > > > In message <[EMAIL PROTECTED]> on Thu, 31 Oct 2002 > 23:19:17 +0100 (MET), "Frédéric Giudicelli via RT" <[EMAIL PROTECTED]> said: > > > > rt> All I know, is that MS Windows 2000 SP3 consider the chain broken, > > rt> it links the EndUser Cert with the ROOT CERT, and since the issuer > > rt> of the EndUser Cert is not ROOT CA, badaboum, unusable > > rt> certificate. > > > > In that case, I think Windows has it wrong. > > > > rt> When authorityKeyId=keyid, it works, when authorityKeyId=keyid, > > rt> issuer -> doesn't work. > > > > OK, listen up: It's not the combination keyID+issuer that should be > > looked up, it's the combination issuer+serial (look at the > > certificate, there should be a serial number there as well). If > > Windows breaks on such values, it's broken. > > > > rt> I'm sorry but when we talk about the issuer of the EndUser Cert, > > rt> we talk about INTERMEDIATE CA, not ROOT CA. > > > > Again, listen up: The intermediate CA certificate can be refered to by > > subject or by rootsubject+serial (that is, the serial number that you > > can see in the intermediate CA certificate). It's the latter lookup > > method that should be used when the authorityKeyIdentifier is used. > > > > rt> That's a non sense. > > > > No, you just keep ignoring the serial number, and apparently, so does > > Windows. > > > > -- > > Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] > > Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 > > \ SWEDEN \ or +46-708-26 53 44 > > Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] > > Member of the OpenSSL development team: http://www.openssl.org/ > > > > Unsolicited commercial email is subject to an archival fee of $400. > > See <http://www.stacken.kth.se/~levitte/mail/> for more info. > > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
