Add FAQ about AKID.

diff --git a/FAQ b/FAQ
index fda3323f250e478c10d1af1de842a78c14b120ed..44bf0567edc513f3893c1c598da63ebaea1db46c 100644 (file)
--- a/FAQ
+++ b/FAQ
@@ -32,6 +32,7 @@ OpenSSL  -  Frequently Asked Questions
 * How do I install a CA certificate into a browser?
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
 * What is a "128 bit certificate"? Can I create one with OpenSSL?
+* Why does OpenSSL set the authority key identifier extension incorrectly?
 
 [BUILD] Questions about building and testing OpenSSL
 
@@ -425,6 +426,25 @@ The export laws were later changed to allow almost unrestricted use of strong
 encryption so these certificates are now obsolete.
 
 
+* Why does OpenSSL set the authority key identifier AKID) extension incorrectly?
+
+It doesn't: this extension is often the cause of confusion.
+
+Consider a certificate chain A->B->C so that A signs, B and B signs C. Suppose
+certificate C contains AKID.
+
+The purpose of this extension is to identify the authority certificate B. This
+can be done either by including the subject key identifier of B or its issuer
+name and serial number.
+
+In this latter case because it is identifying certifcate B it must contain the
+issuer name and serial number of B.
+
+It is often wrongly assumed that it should contain the issuer name of C. If it
+did this would be redundant information because it would duplicate the issuer
+name of C.
+
+
 [BUILD] =======================================================================
 
 * Why does the linker complain about undefined symbols?