Re: cert extension: authority key identifier (AKI)

Hi all, I found it here http://www.mozilla.org/projects/security/certs/policy/ thank you very much for all the explanations, especially the one with the silent upgrade by Jean-Marc. I still don't understand Mozilla's requirement in case silent upgrade is not required (furthermore, prohibited by

Re: cert extension: authority key identifier (AKI)

Eddy Nigg wrote: Interestingly I /think/ NSS is the only library which really has a problem with it, to all of my knowledge (and I might be wrong with that) You might. Openssl (therefore mod_ssl, etc.) also has a problem when it doesn't match. I think most other library also have a problem

Re: cert extension: authority key identifier (AKI)

Nelson B Bolyard wrote: CAs that make this mistake typically have to abandon and completely replace their entire PKI (entire tree of issued certificates) when a CA cert expires and its serial number appears in the AKI of other subordinate certs. More than once I've seen entire corporate PKIs

Re: cert extension: authority key identifier (AKI)

On 24/11/2009 10:25, Jean-Marc Desperrier wrote: Nelson B Bolyard wrote: CAs that make this mistake typically have to abandon and completely replace their entire PKI (entire tree of issued certificates) when a CA cert expires and its serial number appears in the AKI of other subordinate certs.

Re: cert extension: authority key identifier (AKI)

Nelson B Bolyard wrote: On 2009-11-19 08:24 PST, Daniel Joscak wrote: I would like to ask for an explanation of mozilla trust cert. store requirement for adding CA. Is this a question about Mozilla's policy for adding root CA certificates to the set of trusted root CA certificates that it

Re: cert extension: authority key identifier (AKI)

Hi Nelson, On 20/11/2009 20:57, Nelson B Bolyard wrote: On 2009-11-19 08:24 PST, Daniel Joscak wrote: Or is this a question about the behavior of Mozilla's crypto code? In that case, this is the right list. I read it is a question as to what goes wrong when it is done, and why it is that

Re: cert extension: authority key identifier (AKI)

On 2009-11-21 10:46 PST, Ian G wrote: Hi Nelson, On 20/11/2009 20:57, Nelson B Bolyard wrote: On 2009-11-19 08:24 PST, Daniel Joscak wrote: Why correct authority key identifier (AKI) can not include both the key ID and the issuer's issuer name and serial number. We have an authority that

cert extension: authority key identifier (AKI)

I would like to ask for an explanation of mozilla trust cert. store requirement for adding CA. Why correct authority key identifier (AKI) can not include both the key ID and the issuer's issuer name and serial number. We have an authority that adds to its certificates such AKI and till now I