On Thu, Mar 12, 2009, Rene Hollan wrote: > True, but (a) it doesn't hurt to have both, and (b) if the issuer > doesn't have a SKID, AKID issuer/serial takes the place of an AKID > keyid. >
The disadvantage is that if you want to support more than one intermediate CA (cross certification for example) and you have issuer+serial in AKID then you'll get a mismatch with any new CA. This has caused issues when some people had an intermediate CA expire before the EE cert. Technically AKID/SKID should just be a hint as to the correct issuer certificate which can be ignored but some software (including OpenSSL currently) requires a match. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
