In message <[EMAIL PROTECTED]> on Thu, 31 Oct 2002 23:19:17 +0100 (MET), "Frédéric Giudicelli via RT" <[EMAIL PROTECTED]> said:
rt> All I know, is that MS Windows 2000 SP3 consider the chain broken, rt> it links the EndUser Cert with the ROOT CERT, and since the issuer rt> of the EndUser Cert is not ROOT CA, badaboum, unusable rt> certificate. In that case, I think Windows has it wrong. rt> When authorityKeyId=keyid, it works, when authorityKeyId=keyid, rt> issuer -> doesn't work. OK, listen up: It's not the combination keyID+issuer that should be looked up, it's the combination issuer+serial (look at the certificate, there should be a serial number there as well). If Windows breaks on such values, it's broken. rt> I'm sorry but when we talk about the issuer of the EndUser Cert, rt> we talk about INTERMEDIATE CA, not ROOT CA. Again, listen up: The intermediate CA certificate can be refered to by subject or by rootsubject+serial (that is, the serial number that you can see in the intermediate CA certificate). It's the latter lookup method that should be used when the authorityKeyIdentifier is used. rt> That's a non sense. No, you just keep ignoring the serial number, and apparently, so does Windows. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]