jehan procaccia a écrit :
Peter Sylvester a écrit :
well, if one takes the standard configuration of openssl,
it sets the authoritykey_identifier both the hash and
issuer serial, no exception for the root. comment says
that pkix recommends that.
yes , and the thread you refered me on this list named "Bug in
"authorityKeyIdentifier" extension ?"
goes in the same direction, altough it is not clear if it concerns THE
root CA of a hierarchie or sub-CA and final certs ?
on http://marc.info/?l=openssl-dev&m=103640560416217&w=2
I can read
"The keyIdentifier is not used, the only valid content for the
authorityKeyIdentifier is the issuer's name of the issuer certificate,
packed with the issuer's certificate serial number."
...
"PKIX recommends the use of the authorityKeyId, and that the French
Government says you must to have this extension"
Can someone tell me how SSL clients check/verify a 3 level hierarchie ?
is it based on extension authorityKeyIdentifier ?
At a specific level (1/2/3) it must match keyid ? and /or issuer
(DirName humane readable ) ? and/or serial of it's near (just above)
parent ?
I gave up the idea to resign my root CA ( in order to add it extension
CA:TRUE that I foolishly forgot to set initially !)
Now, I've created a whole new root-CA and it's 3 level hirrarchy of sub-CA :
http://ca.institut-telecom.fr/pki/IT_ROOT_CA2/
However, I realised after creating that new hierarchie, that Level2
sub-CA contains extension AKI with only issuer (DN + serial). you can
have a look at it here:
http://ca.institut-telecom.fr/pki/IT_CA2/itca2.crt
after all discussion regarding AKI in root-CA -> apparently not
necessary there, and in sub-CA ...?
I still wonder in sub-CA if having AKI with issuer + keyid is
recommended, superfluous, or to banish ?
regarding my original problem with root-CA not having CA:TRUE, the fact
that I had AKI with issuer + keyid in sub-CA prevented me to resign
root-CA with a different serial, so in that (rare) case, I would say
that AKI+issuer in sub-CA is to banish.
However RFC, and book
http://david.carella.free.fr/fr/cryptographie/livre-pki-open-source.html
apperently recommend it :
"AKI must NOT be critical, for root-CA in may be mentioned (however
superfluous), in sub-CA it MUST have keyid:always, issuer:always "
I'am in doubt in what to do with my new CA hierarchy regarding AKI ,
please let me know if you think there's problem with it:
http://ca.institut-telecom.fr/pki/IT_ROOT_CA2/
Thanks ,
regards , jehan .
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org