On Fri, 1 Nov 2002, [iso-8859-1] Frédéric Giudicelli wrote:
> Well Microsoft support tells me it's openssl's fault, and you tell me it's
> microsoft's ?
> It's dead end, what am I supposed to tell my clients ?
Well. Since Microsoft's history if full of bugs, security problems, and
non-comformity to the standarts, then Microsoft is more likely to be
guilty. ;)
> Well... altough PKIX recommends the use of the authorityKeyId, and that the
> French Government says you must to have this extension, to be certified,
> I'll have to remove this extension ?
No. The authorityKeyIdentifier can be used in 3 different manners,
differing in the content of the extension:
1/ specify the keyIdentifier contained in the subjectKeyIdentifier
extension of the issuer certificate
2/ specify the issuer name of the issuing certificate, with the serial
number of the issuing certificate (that is, identify the issuing
certificate by it's father's name and the rank of the issuing
certificate in all those children).
3/ both of the above contents
The easiest method is the first one, of course. But that means each
issuing certificate has to have a subjectKeyIdentifier extension. When
it's not the case, and you *must* provide an authorityKeyIdentifier
extension, then the method 2 is the only one possible.
Please take into consideration that:
- qualified certificates are defined by European directives, not a french
law
- it takes a lot more than just using the authorityKeyIdentifier
extension to have a qualified certificate
Hope this helps.
--
Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5
-----
CJ> Les censeurs agitent plus de vent que les moulins des Pays Bas.
Tiens, je savais pas que c'étaient les moulins qui créaient le vent.
-+- GR in GNU : Dame qui se shoote et sang chaud pensa -+-
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
