<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.contentpasted0
{mso-style-name:contentpasted0;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hi Paul,<o:p></o:p></p><p class=MsoNormal>This was brought up by Aneta on a July 2021 call [1], where Ryan (S.) presented the rationale for the current “NOT RECOMMENDEND” language. I’ll raise your question on tomorrow’s call for discussion.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[1] <a href="https://lists.cabforum.org/pipermail/validation/2021-July/001672.html">https://lists.cabforum.org/pipermail/validation/2021-July/001672.html</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Validation <validation-bounces@cabforum.org> <b>On Behalf Of </b>Paul van Brouwershaven via Validation<br><b>Sent:</b> Wednesday, November 30, 2022 3:36 PM<br><b>To:</b> CABforum3 <validation@cabforum.org><br><b>Subject:</b> [cabf_validation] RFC 5280 conflict for SKI in subscriber certificates<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal style='margin-bottom:8.0pt;background:white'><span class=contentpasted0><span style='color:black'>Section 7.1.2.7.6 (Subscriber Certificate Extensions) of the new certificate profiles state that the inclusion of the subjectKeyIdentifier is NOT RECOMMENDED, this contradicts section 4.2.1.2 (Subject Key Identifier) of RFC 5280 that states that entity certificates SHOULD include the SKI: </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span class=contentpasted0><span style='font-size:10.0pt;font-family:"Courier New";color:black'> For end entity certificates, the subject key identifier extension </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span class=contentpasted0><span style='font-size:10.0pt;font-family:"Courier New";color:black'> provides a means for identifying certificates containing the </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span class=contentpasted0><span style='font-size:10.0pt;font-family:"Courier New";color:black'> particular public key used in an application. Where an end entity </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span class=contentpasted0><span style='font-size:10.0pt;font-family:"Courier New";color:black'> has obtained multiple certificates, especially from multiple CAs, the </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span class=contentpasted0><span style='font-size:10.0pt;font-family:"Courier New";color:black'> subject key identifier provides a means to quickly identify the set </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span class=contentpasted0><span style='font-size:10.0pt;font-family:"Courier New";color:black'> of certificates containing a particular public key. <span style='background:yellow;mso-highlight:yellow'>To assist </span></span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span class=contentpasted0><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:yellow;mso-highlight:yellow'> applications in identifying the appropriate end entity certificate, </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span class=contentpasted0><span style='font-size:10.0pt;font-family:"Courier New";color:black;background:yellow;mso-highlight:yellow'> this extension SHOULD be included in all end entity certificates.</span></span><span style='font-size:10.0pt;font-family:"Courier New";color:black'> </span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:8.0pt;background:white'><span style='color:black'> <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:8.0pt;background:white'><span class=contentpasted0><span style='color:black'>Looking at the data from Censys we also see that almost all end-entity certificates include the SKI: </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:8.0pt;background:white'><span style='color:black'><a href="https://search.censys.io/certificates?q=%28tags.raw%3A+%22precert%22+AND+tags.raw%3A+%22trusted%22%29+AND+NOT+parsed.extensions.subject_key_id%3A+%2A">(tags.raw: "precert" AND tags.raw: "trusted") AND NOT parsed.extensions.subject_key_id: * - Censys</a> <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:8.0pt;background:white'><span class=contentpasted0><span style='color:black'>Can we align the profile with RFC 5280 and change the inclusion of the SKI to a SHOULD instead of the current NOT RECOMMENDED? </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:8.0pt;background:white'><span class=contentpasted0><span style='color:black'>Paul </span></span><span style='color:black'><o:p></o:p></span></p><p class=MsoNormal style='background:white'><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><p class=MsoNormal><i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i> <o:p></o:p></p></div></body></html>