<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#467886" vlink="#96607D" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;mso-ligatures:none'>Forwarding this to the public list with Viktor’s permission. Is there any discussion? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;mso-ligatures:none'>I can add it to the agenda for the next call.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;mso-ligatures:none'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;mso-ligatures:none'>Dean Coclin<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial",sans-serif;mso-ligatures:none'>CSCWG Chair<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;mso-ligatures:none'> Varga Viktor <br><b>Sent:</b> Thursday, August 1, 2024 4:15 AM<br><b>To:</b> Dean Coclin <br><b>Subject:</b> Mistake in CSBR <o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a name="_Hlk32504543">Dear Dean,<o:p></o:p></a></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>I think I found a mistake in the CSBR.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>Neither in the chapter 7.1.2.1 Root CA Certificate nor in the chapter 7.1.2.2 Subordinate CA Certificate can we found section for the subjectKeyIdentifier (later SKI) extension.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>But also 7.1.2.4 explicitly denies to use any other extension than listed in these chapter.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>But the RFC 5280 mandates this. (I added the important chapters to the end of mail)<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>May I ask for correction to add the SKI to the requirements? <br>This extension shall be added to 7.1.2.1 and 7.1.2.2 and optionally in 7.1.2.3.<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>Also I would like to ask: <o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>Can we agree in that, if we are issuing CA certificate until the correction, a CA certificate with SKI can be accepted as good because it fits in the term: “<i>unless the CA is aware of a reason”.<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i><o:p> </o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>Kind regards,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>Viktor<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><b><span lang=HU style='font-size:11.0pt;font-variant:small-caps;color:#5A5A5A;mso-ligatures:none'>Viktor Varga</span></b></span><span style='mso-bookmark:_Hlk32504543'><b><span lang=HU style='font-size:11.0pt;font-variant:small-caps;color:#FFC000;mso-ligatures:none'><br></span></b></span><span style='mso-bookmark:_Hlk32504543'><span lang=HU style='font-size:11.0pt;font-variant:small-caps;color:#5A5A5A;mso-ligatures:none'>PKI Architect & Trust Services Manager<o:p></o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><span lang=HU style='font-size:11.0pt;mso-ligatures:none'><img width=151 height=14 style='width:1.575in;height:.15in' id="Kép_x0020_10" src="cid:image001.png@01DAE42E.F4428680"></span></span><span style='mso-bookmark:_Hlk32504543'><span lang=HU style='font-size:11.0pt;font-variant:small-caps;color:#5A5A5A;mso-ligatures:none'><o:p></o:p></span></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i><o:p> </o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>CSBR<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i>7.1.2.4 All Certificates <o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i>All other fields and extensions MUST be set in accordance with RFC 5280. The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extKeyUsage value, Certificate extension, or other data not specified in Section 7.1.2.1, Section 7.1.2.2, or Section 7.1.2.3 unless the CA is aware of a reason for including the data in the Certificate.<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'>RFC 5280<o:p></o:p></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i>4.2.1.2. Subject Key Identifier<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i><o:p> </o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i> The subject key identifier extension provides a means of identifying<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i> certificates that contain a particular public key.<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i><o:p> </o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i> To facilitate certification path construction, this extension MUST<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i> appear in all conforming CA certificates, that is, all certificates<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i> including the basic constraints extension (Section 4.2.1.9) where the<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><i> value of cA is TRUE.<o:p></o:p></i></span></p><p class=MsoNormal><span style='mso-bookmark:_Hlk32504543'><o:p> </o:p></span></p><span style='mso-bookmark:_Hlk32504543'></span><p class=MsoNormal><o:p> </o:p></p></div></body></html>