<div dir="ltr">"SHOULD" <a href="https://datatracker.ietf.org/doc/html/rfc2119#section-3">means</a> that "there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.". In the profiles draft, the subjectKeyIdentifier is profiled as a MUST for all CA certificates, and only as NOT RECOMMENDED for end-entity certificates.<div><br></div><div>In my opinion, the better way to resolve this discrepancy between RFC 5280 and the BRs is to document in Section 7.1.2.11.4 <i>why</i> this field is not useful for end-entity certs: namely, that no other certificate will ever contain the same value in its Authority Key Identifier extension, so it serves little-to-no purpose and simply increases the size of the certificate with usually-redundant (i.e. derived from the public key by a simple hash function) data.</div><div><br></div><div>Aaron</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Nov 30, 2022 at 12:36 PM Paul van Brouwershaven via Validation <<a href="mailto:validation@cabforum.org">validation@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-7160472501421898242">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri,sans-serif">
<span lang="EN-US">Section 7.1.2.7.6 (Subscriber Certificate Extensions) of the new certificate profiles state that
the inclusion of the subjectKeyIdentifier is NOT RECOMMENDED, this contradicts section 4.2.1.2 (Subject Key Identifier) of RFC 5280 that states that entity certificates SHOULD include the SKI:<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">
<span style="font-size:10pt;font-family:"Courier New";color:black"><span>
</span>For end entity certificates, the subject key identifier extension<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">
<span style="font-size:10pt;font-family:"Courier New";color:black"><span>
</span>provides a means for identifying certificates containing the<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">
<span style="font-size:10pt;font-family:"Courier New";color:black"><span>
</span>particular public key used in an application.<span>
</span>Where an end entity<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">
<span style="font-size:10pt;font-family:"Courier New";color:black"><span>
</span>has obtained multiple certificates, especially from multiple CAs, the<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">
<span style="font-size:10pt;font-family:"Courier New";color:black"><span>
</span>subject key identifier provides a means to quickly identify the set<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">
<span style="font-size:10pt;font-family:"Courier New";color:black"><span>
</span>of certificates containing a particular public key.<span>
</span><span style="background:yellow">To assist<u></u> <u></u></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">
<span style="font-size:10pt;font-family:"Courier New";color:black;background:yellow"><span>
</span>applications in identifying the appropriate end entity certificate,<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif">
<span style="font-size:10pt;font-family:"Courier New";color:black;background:yellow"><span>
</span>this extension SHOULD be included in all end entity certificates.</span><span style="font-size:10pt;font-family:"Courier New";color:black"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri,sans-serif">
<span><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri,sans-serif">
<span>Looking at the data from Censys we also see that almost all end-entity certificates include the SKI:<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri,sans-serif">
<a href="https://search.censys.io/certificates?q=%28tags.raw%3A+%22precert%22+AND+tags.raw%3A+%22trusted%22%29+AND+NOT+parsed.extensions.subject_key_id%3A+%2A" target="_blank">(tags.raw: "precert" AND tags.raw: "trusted") AND NOT parsed.extensions.subject_key_id:
* - Censys</a><span><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri,sans-serif">
<span>Can we align the profile with RFC 5280 and change the inclusion of the SKI to a SHOULD instead of the current NOT RECOMMENDED?<u></u> <u></u></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri,sans-serif">
<span>Paul<u></u> <u></u></span></p>
<br>
</div>
<i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
</div>
_______________________________________________<br>
Validation mailing list<br>
<a href="mailto:Validation@cabforum.org" target="_blank">Validation@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/validation" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/validation</a><br>
</div></blockquote></div>