From: Dr. Stephen Henson Date: Sat, 11 Feb 2006 00:46:34 +0000 (+0000) Subject: Add FAQ about AKID. X-Git-Tag: OpenSSL_0_9_8k^2~1565 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=a070f0dac56e622fab79a7bca021f3d69d492aab;p=oweals%2Fopenssl.git Add FAQ about AKID. --- diff --git a/FAQ b/FAQ index fda3323f25..44bf0567ed 100644 --- a/FAQ +++ b/FAQ @@ -32,6 +32,7 @@ OpenSSL - Frequently Asked Questions * How do I install a CA certificate into a browser? * Why is OpenSSL x509 DN output not conformant to RFC2253? * What is a "128 bit certificate"? Can I create one with OpenSSL? +* Why does OpenSSL set the authority key identifier extension incorrectly? [BUILD] Questions about building and testing OpenSSL @@ -425,6 +426,25 @@ The export laws were later changed to allow almost unrestricted use of strong encryption so these certificates are now obsolete. +* Why does OpenSSL set the authority key identifier AKID) extension incorrectly? + +It doesn't: this extension is often the cause of confusion. + +Consider a certificate chain A->B->C so that A signs, B and B signs C. Suppose +certificate C contains AKID. + +The purpose of this extension is to identify the authority certificate B. This +can be done either by including the subject key identifier of B or its issuer +name and serial number. + +In this latter case because it is identifying certifcate B it must contain the +issuer name and serial number of B. + +It is often wrongly assumed that it should contain the issuer name of C. If it +did this would be redundant information because it would duplicate the issuer +name of C. + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols?