In message <[EMAIL PROTECTED]> on
Wed, 20 Nov 2002 13:51:58 +0100 (CET), Erwann ABALEA <[EMAIL PROTECTED]> said:
eabalea> On Wed, 20 Nov 2002, Gerd Schering wrote:
eabalea>
eabalea> > I have the following CA/cert hierachy:
eabalea> > rootca -> serverca -> servercert
eabalea> >
eabalea> > when I look at the authorityKeyIdentifier in the servercert I see:
eabalea> > keyid: O.K.
eabalea> > serial: O.K.
eabalea> > but DirName is NOT the DirName of the serverca but the one of the rootca!
eabalea> >
eabalea> > This seems to me to be wrong.
eabalea>
eabalea> No, it's correct. There has been a thread on openssl-dev some days ago.
eabalea> You should carefully read the RFC. If you still think OpenSSL is wrong,
eabalea> then read the RFC again, and again, and again... ;)
eabalea>
eabalea> To explain it easily, the authorityKeyIdentifier of servercert is here to
eabalea> find the right certificate for serverca. The certificate for serverca can
eabalea> be identified by the issuer name of serverca (that is, rootca), and the
eabalea> serial number of serverca (which is unique among all the certificates
eabalea> signed by rootca).
eabalea>
eabalea> OpenSSL is right.
This seems to be an FAQ, but I wonder if it really belongs in the
OpenSSL FAQ rather than a general PKI FAQ. Is there such a beast
somewhere that we could point to?
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
