[email protected] <[email protected]> writes: >However, that does not means our PKIX (RFC-5280) conforimg implementation >will cause errors or bugs to current implementations of browsers.
Given all the bizarre stuff that ended up in the PKIX spec, it would be quite easy to create a fully PKIX-compliant cert that had all manner of strange and unexpected interactions with browsers (see my previous message for examples). The skill required for deploying certs is to know (or at least have a general idea of) what will happen to them in the wild, not to assume that whatever peculiar thing the PKIX spec says is actually implemented by anyone. >Actually, in RFC 5280 as well as the original X.509 standard, the recommended >official way to distinguish the different generation of CA certificates is by >using the chaining of the Issuer Key Identifier extension and Subject Key >Identifier extension (as you mentioned) in certification path processing. OK, that's one of the less crazy things in the spec, but it still doesn't guarantee that much, if anything, does it that way. In practice, you chain by DN, not by key ID. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
