From a070f0dac56e622fab79a7bca021f3d69d492aab Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 11 Feb 2006 00:46:34 +0000 Subject: [PATCH] Add FAQ about AKID. --- FAQ | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/FAQ b/FAQ index fda3323f25..44bf0567ed 100644 --- a/FAQ +++ b/FAQ @@ -32,6 +32,7 @@ OpenSSL - Frequently Asked Questions * How do I install a CA certificate into a browser? * Why is OpenSSL x509 DN output not conformant to RFC2253? * What is a "128 bit certificate"? Can I create one with OpenSSL? +* Why does OpenSSL set the authority key identifier extension incorrectly? [BUILD] Questions about building and testing OpenSSL @@ -425,6 +426,25 @@ The export laws were later changed to allow almost unrestricted use of strong encryption so these certificates are now obsolete. +* Why does OpenSSL set the authority key identifier AKID) extension incorrectly? + +It doesn't: this extension is often the cause of confusion. + +Consider a certificate chain A->B->C so that A signs, B and B signs C. Suppose +certificate C contains AKID. + +The purpose of this extension is to identify the authority certificate B. This +can be done either by including the subject key identifier of B or its issuer +name and serial number. + +In this latter case because it is identifying certifcate B it must contain the +issuer name and serial number of B. + +It is often wrongly assumed that it should contain the issuer name of C. If it +did this would be redundant information because it would duplicate the issuer +name of C. + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? -- 2.25.1