Believe that this question will be raised again and again...
Yuting Chen
-----Original Message-----
From: Erwann Abalea
Sent: Monday, June 01, 2015 10:12 AM
To: openssl-dev@openssl.org
Subject: Re: [openssl-dev] verify fails for 3-level cert chain when
usingX509v3 Authority Key Identifier
Bonsoir John,
Le 1 juin 2015 à 17:20, John Lofgren via RT <r...@openssl.org> a écrit :
[…]
One remaining question. If this extension is "only a helper and MUST NOT
be
used to (in)validate a certificate chain" as you say or as the spec says
"non-critical", then why does 'openssl verify' reject this chain?
That’s an open question. This topic has been raised on IETF PKIX last
april.
The normative validation algorithm in section 6 of RFC5280 doesn’t use
AKI/SKI.
RFC4158 is about path construction and is also clear on not using AKI/SKI to
eliminate a certificate chain.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev