<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif">
<span lang="EN-US" style="mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;mso-ansi-language:EN-US" class="ContentPasted0">Section 7.1.2.7.6 (Subscriber Certificate Extensions) of the new certificate profiles state that
the inclusion of the subjectKeyIdentifier is NOT RECOMMENDED, this contradicts section 4.2.1.2 (Subject Key Identifier) of RFC 5280 that states that entity certificates SHOULD include the SKI:<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif;margin-bottom:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt">
<span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black" class="ContentPasted0"><span style="mso-spacerun:yes" class="ContentPasted0">
</span>For end entity certificates, the subject key identifier extension<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif;margin-bottom:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt">
<span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black" class="ContentPasted0"><span style="mso-spacerun:yes" class="ContentPasted0">
</span>provides a means for identifying certificates containing the<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif;margin-bottom:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt">
<span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black" class="ContentPasted0"><span style="mso-spacerun:yes" class="ContentPasted0">
</span>particular public key used in an application.<span style="mso-spacerun:yes" class="ContentPasted0">
</span>Where an end entity<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif;margin-bottom:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt">
<span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black" class="ContentPasted0"><span style="mso-spacerun:yes" class="ContentPasted0">
</span>has obtained multiple certificates, especially from multiple CAs, the<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif;margin-bottom:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt">
<span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black" class="ContentPasted0"><span style="mso-spacerun:yes" class="ContentPasted0">
</span>subject key identifier provides a means to quickly identify the set<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif;margin-bottom:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt">
<span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black" class="ContentPasted0"><span style="mso-spacerun:yes" class="ContentPasted0">
</span>of certificates containing a particular public key.<span style="mso-spacerun:yes" class="ContentPasted0">
</span><span style="background:yellow;mso-highlight:yellow" class="ContentPasted0">To assist<o:p class="ContentPasted0"> </o:p></span></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif;margin-bottom:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt">
<span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black;background:yellow;mso-highlight:yellow" class="ContentPasted0"><span style="mso-spacerun:yes" class="ContentPasted0">
</span>applications in identifying the appropriate end entity certificate,<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif;margin-bottom:0cm;tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt">
<span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black;background:yellow;mso-highlight:yellow" class="ContentPasted0"><span style="mso-spacerun:yes" class="ContentPasted0">
</span>this extension SHOULD be included in all end entity certificates.</span><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-font-family:"Times New Roman";color:black"><o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif">
<span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif">
<span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri" class="ContentPasted0">Looking at the data from Censys we also see that almost all end-entity certificates include the SKI:<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif">
<a href="https://search.censys.io/certificates?q=%28tags.raw%3A+%22precert%22+AND+tags.raw%3A+%22trusted%22%29+AND+NOT+parsed.extensions.subject_key_id%3A+%2A" class="ContentPasted0">(tags.raw: "precert" AND tags.raw: "trusted") AND NOT parsed.extensions.subject_key_id:
* - Censys</a><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri"><o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif">
<span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri" class="ContentPasted0">Can we align the profile with RFC 5280 and change the inclusion of the SKI to a SHOULD instead of the current NOT RECOMMENDED?<o:p class="ContentPasted0"> </o:p></span></p>
<p class="MsoNormal" style="margin:0cm 0cm 8pt;font-size:11pt;font-family:Calibri, sans-serif">
<span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri" class="ContentPasted0">Paul<o:p class="ContentPasted0"> </o:p></span></p>
<br>
</div>
<i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
</body>
</html>