> On Mar 24, 2020, at 11:12 AM, Dirk Menstermann <noadsplease@xxxxxx> wrote: > > My expectation (maybe wrong) is that the serial and the issuer name belong to > the same X509 certificate that the key id belongs to. Your expectation is "wrong". The issuer DN in the AKID is in fact supposed to be the issuer's issuer. It would be redundant to encode the issuer DN there, it is already present in the EE certificate. -- Viktor.
