But similarly the AKI field of the webserver certificate (issued by the SubCA ) would have to point to the SubCA to select the right certificate if the SubCA has multiple key pairs. And exactly here is my problem: the AKI field in the webserver certifcate does not point to the SubCA but to the RootCA which seems illogical to me as a software would have to check this field to find the correct SubCA certifcate and then the AKI field of the SubCA certificate to find the correct RootCA certificate.
Only one question; how does a software should determine the correct sub CA for a cert?
1. The subject has not to be unique.
2. The serial of the sub CA is not really unique.
So again how do you identify the correct sub CA? Answer: with the authority key identifier which contains an identification of the issuer of the sub CA's cert. You can choose the correct path for validation by this way.
More technical, the software (client) can take the authority key identifier and compare this identifier with the issuer information in the CA certificates. Only one certificate should match this identifier and have the correct serial - the sub CA cert.
Bill, I hope the explanation is correct. If not please correct me.
Cheers Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
