Nelson B Bolyard wrote:
[...]
Although the RFC doesn't say so, there have been books and documents
on the subject published by various authors which claim that the
issuer name and serial number in the AKID, if present, are only an
indicator of preference.They state that the AKID's issuer name and
serial number are to be ignored if you (the relying party testing the
cert under test) cannot find any CA cert with that issuer name and
serial number. However, if you do/can find the cert with that issuer
name and serial number, then you must use that one. So say certain authors.
What the RFC 5280 does say is that :
4.2.1.2. Subject Key Identifier
[...] Applications are not required to verify that key identifiers
match when performing certification path validation.
So, rejecting a potential AC cert only because the SKI/AKI do not match
is not part of the path validation algorithm of the RFC.
Now, the application can consider that it applies the RFC (&4.2.1.1) by
getting a set of potential issuers, filtering them according to the AKI,
and stopping there if the set is empty after the filtering.
Ignoring the extension when that happens is just a sensible and
compatible way to make the application more robust.
Although it would be non-conformant with the RFC, I think perhaps NSS
should ignore the AKID's issuer name and serial number fields
It's not non-conformant, the RFC does allow to choose to ignore them.
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
