Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Apr 06, 2015 at 06:40:28PM +0200, Erwann Abalea wrote:

> >What makes you think it is incorrect to check the Key
> >Identifier (where present) before checking a signature
> >against a key?
> 
> Because the presented file4.pem is a valid issuer certificate for the one
> found in file3.pem?
> RFC5280 section 6.1 gives the validation algorithm, and the Key Identifier
> isn't mentioned.
> 6.1.3(a) checks for signature, validity, revocation status, and names (i.e.
> that issuercert.subjectName = cert.issuerName).
> 
> You're not supposed to follow exactly the same algorithm (or the one
> described in X.509), but whatever you choose, the result MUST be equivalent.

On the other hand issuers should not issue certificates whose AKID
keyid does not match the subject key identifier of the issuer CA.

OpenSSL has been checking this condition for two decades at least,
and changing this is an incompatible change that cannot be made in
any releases prior to 1.1.0 (not yet released).  Even then, I am
not convinced that the proposed change is warranted.

-- 
	Viktor.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux