On Thu, Jul 20, 2023 at 06:31:08AM -0400, Deb Cooley wrote: > > Issuer key hash: Is this not in the Authority Key ID extension? Or is > this extension not used? > > If these things are not the same, my recommendation would be to use > Authority Key ID value as a way to ID the issuing CA.
AFAICT, no. RFC5280 merely recommends a construction for AKI, that nevertheless happens to match value used by issuer key hash in OCSP. However: 1) One can not rely on this, because some CAs do it differently. 2) The value used in ARI is computed using SHA-256, and does not match the recommended AKI construction. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
