Apologies for the late reply, I've been on vacation. On Tue, Feb 27, 2024 at 3:05 AM Rob Stradling <rob= 40sectigo....@dmarc.ietf.org> wrote:
> Carl wrote: > > If this mechanism only applies to certs that conform to a profile that > requires presence of key identifier in the AKID extension, state that up > front. > > I think this is a reasonable request. > > Aaron wrote: > > RFC 5280 requires both that the AKID extension be present and that the > keyIdentifier field be present within it > > I think it's worth pointing this out too. > Agreed on both counts, I've filed https://github.com/aarongable/draft-acme-ari/issues/59 to make sure I clarify this in the document. On Tue, Feb 27, 2024 at 6:30 AM Salz, Rich <rs...@akamai.com> wrote: > Or you could break it into multiple sentences. > > The unique identifier is constructed by concatenating the > base64url-encoding of the bytes of the keyIdentifier field of certificate's > Authority Key Identifier (AKI) extension, a literal period, and the > base64url-encoding of the bytes of the DER encoding of the certificate's > Serial Number (without the tag and length bytes). The encoding is defined > in Section 5 of [RFC4648] and the AKI extension is defined in Section > 4.2.1.1 of [RFC5280]. > Thanks for the suggestion, I'll continue workshopping this phrasing. Thanks again all, Aaron >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme