Hi, I thought that two values could be the same. Both use the hash value of the subject public key field information of the issuer certificate.
RFC 2560 does not have any description of the use of authority key identifer. However looking at the archives of PKIX discussion, some mentioned the use of authority key identifer to avoid the hash calculation at the client side. Or am i misunderstanding about the calculation over the two values? #The authority Key identifer has different methods to calculate, so #it is not good to rely on the authority key identifer value only. -Kiyoshi Kiyoshi Watanabe > On Sun, Jan 19, 2003, Kiyoshi WATANABE wrote: > > > > > Dear all and developers, > > > > Is any option to create the CertID.issuerKeyHash using the AKID of the > > cert to be checked, instead of using the issuer certificate itself, in > > OCSP request? > > > > In addition, do you see any security concerns over this usage if being > > developed? > > > > The OCSP standard define what CertID.issuerKeyHash should be so changing that > makes the implementation non compliant. > > Updated versions of the OCSP standards are being discussed which do allow > alternative certificate identifiers but they are still being discussed and > OpenSSL doesn't support them yet. > > Steve. > -- > Dr. Stephen Henson [EMAIL PROTECTED] > OpenSSL Project http://www.openssl.org/~steve/ > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]