Hi all, I found it here http://www.mozilla.org/projects/security/certs/policy/ thank you very much for all the explanations, especially the one with the "silent upgrade" by Jean-Marc. I still don't understand Mozilla's requirement in case "silent" upgrade is not required (furthermore, prohibited by some other regulations) and if we are careful about the dates of expirations of the CA's and end's certificates. Why is it "incorrect extension" or almost always a "huge mistake"? (authority key IDs that include both the key ID and the issuer's issuer name and serial number)". I think there are three options regarding silent upgrades: - Key ID allows silent upgrade - issuer's issuer name and serial number doesn't allow silent upgrade - Key ID + issuer's issuer name and serial number is equivalent to the second option. Am I correct? An issue when CA cert expires and its serial number appears in the AKI of other subordinate certs is a problem of PKI design. I don't think it should be solved with this extension.
Nelson B Bolyard-2 wrote: > > On 2009-11-21 10:46 PST, Ian G wrote: >> Hi Nelson, >> >> On 20/11/2009 20:57, Nelson B Bolyard wrote: >>> On 2009-11-19 08:24 PST, Daniel Joscak wrote: > >>>> Why correct authority key identifier (AKI) can not include both the key >>>> ID and the issuer's issuer name and serial number. We have an authority >>>> that adds to its certificates such AKI and till now I thought it is a >>>> valid X.509 certificate according to RFC 5280. >>> >>> It is allowed, but it is almost always a huge mistake to do so. CAs >>> that >>> make this mistake typically have to abandon and completely replace their >>> entire PKI (entire tree of issued certificates) when a CA cert expires >>> and >>> its serial number appears in the AKI of other subordinate certs. More >>> than >>> once I've seen entire corporate PKIs have to be replaced due to this >>> error. >>> That's why it's a "problematic practice". >> >> I don't see it here: >> https://wiki.mozilla.org/CA:Problematic_Practices ? > > Well, let's ask Daniel. > > Daniel, > Where did you find Mozilla documentation saying that AKI should not > contain > BOTH the key ID and the (issuer name, serial number) pair? > > I know I've written about that in this newsgroup many times before, and > I thought it was one of the "problematic practices", but where did you > find it? > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- View this message in context: http://old.nabble.com/cert-extension%3A-authority-key-identifier-%28AKI%29-tp26429305p26810794.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
