FWIW, at least one implementation (mine) already generates subject names containing a SHA-1 hash of the public key (ie, another encoding of the same value we're already using as the SKI). I'll let the other implementors speak to whether their implementations already do something like this, or how hard it would be to add if needed.
I'd have no particular objection to specifying that the relying party should check whether the CRL and the certificate being revoked were signed by the same key, probably by comparing the AKI values, thus doing approximately what Roque thought we were doing already. :) _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
