On Thu, May 08, 2014, Viktor Dukhovni wrote: > On Thu, May 08, 2014 at 05:12:07PM +0200, Dr. Stephen Henson wrote: > > > > I don't understand the usefulness of the AKID then. If it's only a > > > hint and can't even be used to exclude certain certificates as > > > issuers, what is it good for? > > > > > > > Disclaimer: I'm just echoing what has been discussed in the PKIX list here > > no passing an opinion ;-) > > > > That said that AKID can be used to prefer one certificate issuer over > > another during path discovery. I'd interpret that to mean that (all things > > being equal) if there are two certificates one of which matches AKID and the > > other does not you would use the AKID match one. However by itself AKID > > mismatch should not exclude a certificate as an issuer. > > The Postfix 2.11 DANE code relies on certificates with skid != > akid->keyid failing X509_check_issued(cert, cert) even though the > subject and issuer DNs may be the same. I really hope that OpenSSL > will not in the future break this assumption. >
To retain compatibility the X509_check_issued behaviour wont change. The certificate verify algorithm may be more lenient of mismatches in future in the absence of an exact match. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
