Eddy Nigg wrote:
Interestingly I /think/ NSS is the only library which really has a problem with it, to all of my knowledge (and I might be wrong with that)
You might. Openssl (therefore mod_ssl, etc.) also has a problem when it doesn't match. I think most other library also have a problem with, or then don't use keyid at all.
MS crypto doesn't have a problem with that IIRC. That might be due that it only checks the keyid in any case.
Library should consider the content of AKI as a hint, and ignore it when it doesn't match. Most any consider it as authoritative instead. MS goes so far as considering the keyid more authoritative than the DN (yes, that's really, really broken).
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
