As a CA, if you receive a cert request that contains a particular subject key ID value, you are not obligated to use that value, and probably should not use it, unless it just happens to match the value that you would choose anyway. The discussion in RFC 3280 on page 27 about a "previously established identifier" doesn't mean "identifier found in the request". Rather it means that if the CA has previously issued a cert with this public key in it[...].
This is the part I want to comply with: --- from rfc 3280 [...] Where an end entity has obtained multiple certificates, especially from multiple CAs, the subject key identifier provides a means to quickly identify the set of certificates containing a particular public key. [...]
And this is the case where it's interesting that the CA can accept an SKI in the request.
If you want to cross-certificate a certificate, it makes things a lot better if all CA give it the same SKI.
But it should be an option, that's not usually on. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
