Bonsoir John, > Le 1 juin 2015 à 17:20, John Lofgren via RT <[email protected]> a écrit : > […]
> One remaining question. If this extension is "only a helper and MUST NOT be > used to (in)validate a certificate chain" as you say or as the spec says > "non-critical", then why does 'openssl verify' reject this chain? That’s an open question. This topic has been raised on IETF PKIX last april. The normative validation algorithm in section 6 of RFC5280 doesn’t use AKI/SKI. RFC4158 is about path construction and is also clear on not using AKI/SKI to eliminate a certificate chain. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
