On Fri, Apr 25, 2014 at 4:59 PM, Erwann Abalea <[email protected]> wrote:
> AKI is only a helper for certificate path building.
> It's mandatory for CAs to issue certificates with matching keyIdentifiers
> (issued.AKI.keyIdentifier = issuer.SKI), but it's not mandatory for relying
> parties to verify that the values match.
While I might agree to the reasoning behind why it doesn't matter, I
don't see why a cautious implementation (not to call it *paranoid*
which might have a different meaning to some) does not *check* what
others are *required to do*. And do that *by default*. Not doing it
under some more relaxed conditions ("export cipher" anyone ?).
Best,
--
Martin
+372 515 6495
--
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
