[openssl-dev] verify fails for 3-level cert chain when usingX509v3 Authority Key Identifier
陈雨亭
chenyt at cs.sjtu.edu.cn
Mon Jun 1 17:18:48 UTC 2015
Believe that this question will be raised again and again...
Yuting Chen
-----Original Message-----
From: Erwann Abalea
Sent: Monday, June 01, 2015 10:12 AM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] verify fails for 3-level cert chain when
usingX509v3 Authority Key Identifier
Bonsoir John,
> Le 1 juin 2015 à 17:20, John Lofgren via RT <rt at openssl.org> a écrit :
> […]
> One remaining question. If this extension is "only a helper and MUST NOT
> be
> used to (in)validate a certificate chain" as you say or as the spec says
> "non-critical", then why does 'openssl verify' reject this chain?
That’s an open question. This topic has been raised on IETF PKIX last
april.
The normative validation algorithm in section 6 of RFC5280 doesn’t use
AKI/SKI.
RFC4158 is about path construction and is also clear on not using AKI/SKI to
eliminate a certificate chain.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
More information about the openssl-dev
mailing list