[openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?

Jeffrey Walton noloader at gmail.com
Sat Apr 4 21:36:19 UTC 2015


> OpenSSL could be more flexible or friendly in its building strategy.
> But that could move into the "which directory" problem rather quickly.
>
This is kind of interesting. Looking at RFC 5280, section 4.2.1.1
Authority Key Identifier (p. 26):

    The value of the keyIdentifier field SHOULD be derived
    from the public key used to verify the certificate's signature
    or a method that generates unique values.

So there's no requirement that the digest of the signer's public key
be used in the subject's AKI. It looks like it could be a totally
random value. The only requirement is that its unique.

Now this is odd or at least counter-intuitive: the standard does not
require that Authority Key Identifier in the subject certificate
actually match the Subject Key Identifier in the signer. Its not
stated and labeled MUST; in fact, it does not appear to be stated. I'm
looking at sections 4.2.1.1 Authority Key Identifier and 4.2.1.2
Subject Key Identifier (maybe its stated elsewhere).

If I am reading things correctly: I think that means OpenSSL is
incorrect if its rejecting a valid path that could be constructed. I
have to be careful how I say this since it depends on OpenSSL having
the required certificates to construct the path (among other things).
But a mismatched AKI is *not* a reason to reject.

Jeff


More information about the openssl-users mailing list