Bonjour,
Given a certificate with an authorityKeyIdentifier extension
containing the issuerName and serial fields, with a negative serial
number, displaying this certificate (openssl x509 -text -noout ...)
doesn't tell that the serial number is negative, and prints its
absolute value.
--
Erwann
On Fri, Feb 10, 2006, Tim Bond via RT wrote:
I am doing some interop testing with a toolkit that performs PKIX
certificate verification and it is having a problem validating a chain I
built with OpenSSL. What appears to be happening is that when 'ca' copies
in the authority key information
I haven't checked the archives, but if I'm not mistaken, it's because
it's (presumably) the rootCA that is the original trusted authority
(the 'trust anchor'), and thus the authorityKeyIdentifier is the
anchor rather than the CA that derives its trust from the anchor?
(Also: if the question has
On Fri, Feb 10, 2006, Kyle Hamilton wrote:
I haven't checked the archives, but if I'm not mistaken, it's because
it's (presumably) the rootCA that is the original trusted authority
(the 'trust anchor'), and thus the authorityKeyIdentifier is the
anchor rather than the CA that derives its
the authorityKeyIdentifier and the
problems with Microsoft. So I used my contacts, packaged the problem
and now it looks for me like Microsoft also interprets the extension
in the correct way.
The problem is now where do you find the bug or problem?
I forward two mails from Microsoft in some minutes. They were
Hi,
I read the discussion about the authorityKeyIdentifier and the problems
with Microsoft. So I used my contacts, packaged the problem and now it
looks for me like Microsoft also interprets the extension in the correct
way.
The problem is now where do you find the bug or problem?
I forward
]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, November 01, 2002 12:50 AM
Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
Well Microsoft support tells me it's openssl's fault, and you tell me it's
microsoft's
convince them !
Cheers !
- Original Message -
From: Frédéric Giudicelli [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, November 01, 2002 12:50 AM
Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
Well Microsoft support tells me it's
In message 03f201c28a97$38a075d0$0200a8c0@station1 on Tue, 12 Nov 2002 23:02:41
+0100, Frédéric Giudicelli [EMAIL PROTECTED] said:
groups I'm guessing that M$ is wrong, that would not be the first time, howerver
groups the real question now, is how do you contact M$, the report the bug, the guy
Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
In message 03f201c28a97$38a075d0$0200a8c0@station1 on Tue, 12 Nov 2002
23:02:41 +0100, Frédéric Giudicelli [EMAIL PROTECTED] said:
groups I'm guessing that M$ is wrong, that would not be the first time,
howerver
groups
On Wed, 13 Nov 2002, Frédéric Giudicelli wrote:
Well I hope MS will be able to get into an adult argumentation, I think it's
mostly about the comprehension of the RFC, since it's really not clear the
way IETF expresses it.
The best solution would be that one of you big people, contact IETF,
I've been very pleasantly surprised, in the last few months, at the
responsiveness of MS support people and developers whom I have
encountered by submitting support requests related to Kerberos and
X.509. If someone would turn down the flame-meter a notch or two and
construct a concise document
convince them !
Cheers !
- Original Message -
From: Frédéric Giudicelli [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, November 01, 2002 12:50 AM
Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
Well Microsoft support tells me it's
On Thu, 31 Oct 2002, Frédéric Giudicelli via RT wrote:
ROOT CA's authorityKeyIdentifier extension gives its own DN as issuer (normal)
INTERMEDIATE CA's authorityKeyIdentifier extension gives ROOT CA's DN as issuer
(normal)
A certificate signed by INTERMEDIATE CA, gives ROOT CA's DN as issuer
. The keyIdentifier
is not used, the only valid content for the authorityKeyIdentifier is the
issuer's name of the issuer certificate, packed with the issuer's
certificate serial number.
--
Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5
-
Et puis, je sais que ça ne se fait pas de reprendre sur
to the standarts, then Microsoft is more likely to be
guilty. ;)
Well... altough PKIX recommends the use of the authorityKeyId, and that the
French Government says you must to have this extension, to be certified,
I'll have to remove this extension ?
No. The authorityKeyIdentifier can be used
Frédéric Giudicelli via RT wrote:
Well Microsoft support tells me it's openssl's fault, and you tell me it's
microsoft's ?
It's dead end, what am I supposed to tell my clients ?
Well... altough PKIX recommends the use of the authorityKeyId, and that the
French Government says you must to have
architecture ?
That's a non sense.
- Original Message -
From: Richard Levitte - VMS Whacker via RT [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, October 31, 2002 11:07 PM
Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
In message
]
Sent: Friday, November 01, 2002 12:23 AM
Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
In message [EMAIL PROTECTED] on Thu, 31 Oct 2002
23:19:17 +0100 (MET), Frédéric Giudicelli via RT [EMAIL PROTECTED] said:
rt All I know, is that MS Windows 2000 SP3 consider
In message [EMAIL PROTECTED] on Fri, 1 Nov 2002 00:51:24
+0100 (MET), Frédéric Giudicelli via RT [EMAIL PROTECTED] said:
rt Well Microsoft support tells me it's openssl's fault, and you tell
rt me it's microsoft's?
I'm basing what I say, not only on the way it's implemented, but also
on what's
In message [EMAIL PROTECTED] on Fri, 1 Nov 2002 00:51:24
+0100 (MET), Frédéric Giudicelli via RT [EMAIL PROTECTED] said:
rt Well Microsoft support tells me it's openssl's fault, and you tell
rt me it's microsoft's?
I'm basing what I say, not only on the way it's implemented, but also
on
On Fri, Nov 01, 2002 at 12:51:24AM +0100, Frédéric Giudicelli via RT wrote:
Well Microsoft support tells me it's openssl's fault, and you tell me it's
microsoft's ?
It's dead end, what am I supposed to tell my clients ?
Well, Microsoft and openssl are not the only code available.
Would you
In message [EMAIL PROTECTED] on Thu, 31 Oct 2002 22:44:33
+0100 (MET), Frédéric Giudicelli via RT [EMAIL PROTECTED] said:
rt The authorityKeyIdentifier extension seems to behave weirdly...
rt
rt I have a two level CA architecture:
rt ROOT CA
rt INTERMEDIATE CA
rt For both CA:
rt
In message [EMAIL PROTECTED] on Thu, 31 Oct 2002 22:44:33
+0100 (MET), Frédéric Giudicelli via RT [EMAIL PROTECTED] said:
rt The authorityKeyIdentifier extension seems to behave weirdly...
rt
rt I have a two level CA architecture:
rt ROOT CA
rt INTERMEDIATE CA
rt For both CA:
rt
architecture ?
That's a non sense.
- Original Message -
From: Richard Levitte - VMS Whacker via RT [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, October 31, 2002 11:07 PM
Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
In message
to by
subject or by rootsubject+serial (that is, the serial number that you
can see in the intermediate CA certificate). It's the latter lookup
method that should be used when the authorityKeyIdentifier is used.
rt That's a non sense.
No, you just keep ignoring the serial number, and apparently, so
to by
subject or by rootsubject+serial (that is, the serial number that you
can see in the intermediate CA certificate). It's the latter lookup
method that should be used when the authorityKeyIdentifier is used.
rt That's a non sense.
No, you just keep ignoring the serial number, and apparently
]
Sent: Friday, November 01, 2002 12:23 AM
Subject: Re: [openssl.org #323] Bug in authorityKeyIdentifier extension ?
In message [EMAIL PROTECTED] on Thu, 31 Oct 2002
23:19:17 +0100 (MET), Frédéric Giudicelli via RT [EMAIL PROTECTED] said:
rt All I know, is that MS Windows 2000 SP3 consider
Hi,
I found a bug in openssl ca. If you set authorityKeyIdentifier to
keyid and issuer always then the keyid will be set correctly but the
issuer is wrong.
Example:
Root-CA -- Sub-Level 1 CA -- Sub-Level 2 CA -- User
If I issue a certificate for a user then the issuer of the CA-cert
is the DN
Michael Bell wrote:
Hi,
I found a bug in openssl ca. If you set authorityKeyIdentifier to
keyid and issuer always then the keyid will be set correctly but the
issuer is wrong.
Example:
Root-CA -- Sub-Level 1 CA -- Sub-Level 2 CA -- User
If I issue a certificate for a user
Dr S N Henson schrieb:
Michael Bell wrote:
Hi,
I found a bug in openssl ca. If you set authorityKeyIdentifier to
keyid and issuer always then the keyid will be set correctly but the
issuer is wrong.
Example:
Root-CA -- Sub-Level 1 CA -- Sub-Level 2 CA -- User
If I issue
Michael Bell wrote:
Dr S N Henson schrieb:
Michael Bell wrote:
Hi,
I found a bug in openssl ca. If you set authorityKeyIdentifier to
keyid and issuer always then the keyid will be set correctly but the
issuer is wrong.
Example:
Root-CA -- Sub-Level 1 CA -- Sub
On 02-03-19 23:05:52 CET, Dr S N Henson wrote:
I can't see how that can happen. The ca command only passes the issuing
CA certificate to the extension routines. It does not have access to any
other CA certificate. It fills in the authority key identifier by
extracting the issuer name of that
Robert Joop wrote:
the user cert has the user CA's DN in the issuer DN (CN=User CA) and
the root CA's DN in the authority key identifier DirName (CN=Test-CA
(G4)), see the attached example.
but the user cert's authority key identifier keyid is the user CA
cert's subject key identifier
Hi all,
I would like to add PKI extensions in my certificates
like AuthorityKeyIdentifier (id-ce 35). I use SslEay v 09.1b
and it seems that its support for such extensions is incomplete.
Do you know a patch or something like that that supports them
(and specially their DER encoding
35 matches
Mail list logo
