On Fri, 1 Nov 2002, [iso-8859-1] Frédéric Giudicelli wrote: > Well Microsoft support tells me it's openssl's fault, and you tell me it's > microsoft's ? > It's dead end, what am I supposed to tell my clients ?
Well. Since Microsoft's history if full of bugs, security problems, and non-comformity to the standarts, then Microsoft is more likely to be guilty. ;) > Well... altough PKIX recommends the use of the authorityKeyId, and that the > French Government says you must to have this extension, to be certified, > I'll have to remove this extension ? No. The authorityKeyIdentifier can be used in 3 different manners, differing in the content of the extension: 1/ specify the keyIdentifier contained in the subjectKeyIdentifier extension of the issuer certificate 2/ specify the issuer name of the issuing certificate, with the serial number of the issuing certificate (that is, identify the issuing certificate by it's father's name and the rank of the issuing certificate in all those children). 3/ both of the above contents The easiest method is the first one, of course. But that means each issuing certificate has to have a subjectKeyIdentifier extension. When it's not the case, and you *must* provide an authorityKeyIdentifier extension, then the method 2 is the only one possible. Please take into consideration that: - qualified certificates are defined by European directives, not a french law - it takes a lot more than just using the authorityKeyIdentifier extension to have a qualified certificate Hope this helps. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 ----- CJ> Les censeurs agitent plus de vent que les moulins des Pays Bas. Tiens, je savais pas que c'étaient les moulins qui créaient le vent. -+- GR in GNU : Dame qui se shoote et sang chaud pensa -+- ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]