<div dir="ltr">If you're searching for certificates with the same key, the SKID can easily lead you astray -- there's no requirement that two different CAs use the same derivation function to compute the SKID from the Public Key. The SKID is useful in CA certs because it is required to byte-for-byte match the AKID in issued certs. I don't believe the SKID in end-entity certs serves any purpose in the modern webpki.<div><br></div><div>I'd love to hear more from Corey and/or Ryan Sleevi on the original motivation for this from July 2021, in case I'm missing something, but obviously I'm convinced already :)</div><div><br></div><div>Aaron</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Dec 1, 2022 at 7:18 AM Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com">Paul.vanBrouwershaven@entrust.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg2840989779679190445">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<span style="color:rgb(0,0,0);font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt">The SKI is useful to quickly search for certificates with the same key.</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Is saving a few bytes a sufficient reason to 'deviate' from RFC 5280, where we try to get everyone to focus on RFC 5280 adherence at the same time?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Are we sure that this would not cause any client incompatibility issues? Almost<span style="background-color:rgb(255,255,255);display:inline"> all certificates include the SKI today and while this might be fine for the major
browsers, we also know that there are other clients/libraries that interact with web websites.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Paul</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div id="m_-8904594178938362390appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_-8904594178938362390divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Hubert Chao <<a href="mailto:hchao@google.com" target="_blank">hchao@google.com</a>><br>
<b>Sent:</b> Thursday, December 1, 2022 15:59<br>
<b>To:</b> Lahtiharju, Pekka <<a href="mailto:pekka.lahtiharju@teliacompany.com" target="_blank">pekka.lahtiharju@teliacompany.com</a>>; CA/Browser Forum Validation SC List <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>><br>
<b>Cc:</b> Aaron Gable <<a href="mailto:aaron@letsencrypt.org" target="_blank">aaron@letsencrypt.org</a>>; Paul van Brouwershaven <<a href="mailto:Paul.vanBrouwershaven@entrust.com" target="_blank">Paul.vanBrouwershaven@entrust.com</a>><br>
<b>Subject:</b> [EXTERNAL] Re: [cabf_validation] RFC 5280 conflict for SKI in subscriber certificates</font>
<div> </div>
</div>
<div>WARNING: This email originated outside of Entrust.<br>
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<br>
<hr>
<div dir="ltr">
<div dir="ltr">On Thu, Dec 1, 2022 at 5:21 AM Lahtiharju, Pekka via Validation <<a href="mailto:validation@cabforum.org" target="_blank">validation@cabforum.org</a>> wrote:<br>
</div>
<div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div lang="EN-US">
<div>
<p>I support Paul’s idea to change this to SHOULD. Why should we create new recommendations against RFC when this extension is useful in several use cases and almost everybody is using it now.</p>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Could you list out the use cases where this extension is useful for a TLS certificate? The discussion that Corey linked to (<a href="https://urldefense.com/v3/__https://lists.cabforum.org/pipermail/validation/2021-July/001672.html__;!!FJ-Y8qCqXTj2!bhb6QGSEpqEOi6JyHDzixLHA_ziEpOs6UQYkMiffRA4PH_9fFgyIiZRW3epCZqq0_V5K5pDehK6XTaH3PNBz1ibt$" target="_blank">https://lists.cabforum.org/pipermail/validation/2021-July/001672.html</a>)
specifically says "... a TLS certificate [SKI] should not be needed ... ".</div>
<div><br>
</div>
<div>/hubert </div>
</div>
</div>
</div>
<i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the
information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i>
</div>
</div></blockquote></div>