On Thu, May 08, 2014, Stephan Mhlstrasser wrote: > Am 08.05.14 16:15, schrieb Dr. Stephen Henson: > > >Well technically AKID should only be used as a hint (various PKIX list > >discissions have confirmed this). In that sense OpenSSL is already too > >strict: if AKID completely mismatches it will decide that the candidate > >certificate cannot be an issuer. > > I don't understand the usefulness of the AKID then. If it's only a > hint and can't even be used to exclude certain certificates as > issuers, what is it good for? >
Disclaimer: I'm just echoing what has been discussed in the PKIX list here no passing an opinion ;-) That said that AKID can be used to prefer one certificate issuer over another during path discovery. I'd interpret that to mean that (all things being equal) if there are two certificates one of which matches AKID and the other does not you would use the AKID match one. However by itself AKID mismatch should not exclude a certificate as an issuer. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
