'Corey Bonnell' via [email protected] writes: >I am wondering about the rationale for switching the hash algorithm used for >generating SKIs. If the full SHA-256 hash of the subjectPublicKey is used as >the SKI value, then the intermediate certificate and end-entity certificate >will each be 12 octets larger (256-bit SHA-256 hash vs. 160-bit SHA-1 hash).
And in particular the sKID is an implicit value, not an explicit value. In other words it can be anything that works for the CA, not explicitly a hash of the public key with a specific algorithm, although that's a very common way to create it. In terms of the announcement: They will use SHA256 to compute their Subject Key Identifiers instead of SHA1. while that sort of implies use of the full hash, it could actually be anything, just using SHA256 instead of SHA1 at some step of the process. Peter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SY4PR01MB62511ED00308FF7E72E6B40AEE85A%40SY4PR01MB6251.ausprd01.prod.outlook.com.
