[openssl-dev] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier
Erwann Abalea
erwann.abalea at opentrust.com
Mon Jun 1 17:12:50 UTC 2015
Bonsoir John,
> Le 1 juin 2015 à 17:20, John Lofgren via RT <rt at openssl.org> a écrit :
> […]
> One remaining question. If this extension is "only a helper and MUST NOT be
> used to (in)validate a certificate chain" as you say or as the spec says
> "non-critical", then why does 'openssl verify' reject this chain?
That’s an open question. This topic has been raised on IETF PKIX last april.
The normative validation algorithm in section 6 of RFC5280 doesn’t use AKI/SKI.
RFC4158 is about path construction and is also clear on not using AKI/SKI to eliminate a certificate chain.
More information about the openssl-dev
mailing list