In message <[EMAIL PROTECTED]> on Thu, 31 Oct 2002 23:19:17
+0100 (MET), "Frédéric Giudicelli via RT" <[EMAIL PROTECTED]> said:
rt> All I know, is that MS Windows 2000 SP3 consider the chain broken,
rt> it links the EndUser Cert with the ROOT CERT, and since the issuer
rt> of the EndUser Cert is not ROOT CA, badaboum, unusable
rt> certificate.
In that case, I think Windows has it wrong.
rt> When authorityKeyId=keyid, it works, when authorityKeyId=keyid,
rt> issuer -> doesn't work.
OK, listen up: It's not the combination keyID+issuer that should be
looked up, it's the combination issuer+serial (look at the
certificate, there should be a serial number there as well). If
Windows breaks on such values, it's broken.
rt> I'm sorry but when we talk about the issuer of the EndUser Cert,
rt> we talk about INTERMEDIATE CA, not ROOT CA.
Again, listen up: The intermediate CA certificate can be refered to by
subject or by rootsubject+serial (that is, the serial number that you
can see in the intermediate CA certificate). It's the latter lookup
method that should be used when the authorityKeyIdentifier is used.
rt> That's a non sense.
No, you just keep ignoring the serial number, and apparently, so does
Windows.
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
