On 2009-11-19 08:24 PST, Daniel Joscak wrote: > I would like to ask for an explanation of mozilla trust cert. store > requirement for adding CA.
Is this a question about Mozilla's policy for adding root CA certificates to the set of trusted root CA certificates that it ships in its products? If so, you should post this question in the dev-security-policy list. Or is this a question about the behavior of Mozilla's crypto code? In that case, this is the right list. > Why correct authority key identifier (AKI) can not include both the key > ID and the issuer's issuer name and serial number. We have an authority > that adds to its certificates such AKI and till now I thought it is a > valid X.509 certificate according to RFC 5280. It is allowed, but it is almost always a huge mistake to do so. CAs that make this mistake typically have to abandon and completely replace their entire PKI (entire tree of issued certificates) when a CA cert expires and its serial number appears in the AKI of other subordinate certs. More than once I've seen entire corporate PKIs have to be replaced due to this error. That's why it's a "problematic practice". Almost without exception, most CAs that do that (put both issuer's key ID, and issuer's issuer name and serial number into an AKI) do so because they use OpenSSL, and virtually every OpenSSL cookbook web page on the internet shows all 3 AKI fields being used. Monkey see, Monkey do. All we can do is advise people to use only the issuer's key ID, and NOT the issuer's issuer name and serial number in the AKI of the certs they issue. Trust me, if you stay in the game long enough, you'll thank me. > regards, Daniel -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
