[cabf_validation] [EXTERNAL] Re: RFC 5280 conflict for SKI in subscriber certificates

Paul van Brouwershaven Paul.vanBrouwershaven at entrust.com
Thu Dec 1 15:18:22 UTC 2022


The SKI is useful to quickly search for certificates with the same key.

Is saving a few bytes a sufficient reason to 'deviate' from RFC 5280, where we try to get everyone to focus on RFC 5280 adherence at the same time?

Are we sure that this would not cause any client incompatibility issues? Almost all certificates include the SKI today and while this might be fine for the major browsers, we also know that there are other clients/libraries that interact with web websites.

Paul

________________________________
From: Hubert Chao <hchao at google.com>
Sent: Thursday, December 1, 2022 15:59
To: Lahtiharju, Pekka <pekka.lahtiharju at teliacompany.com>; CA/Browser Forum Validation SC List <validation at cabforum.org>
Cc: Aaron Gable <aaron at letsencrypt.org>; Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com>
Subject: [EXTERNAL] Re: [cabf_validation] RFC 5280 conflict for SKI in subscriber certificates

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
On Thu, Dec 1, 2022 at 5:21 AM Lahtiharju, Pekka via Validation <validation at cabforum.org<mailto:validation at cabforum.org>> wrote:

I support Paul’s idea to change this to SHOULD. Why should we create new recommendations against RFC when this extension is useful in several use cases and almost everybody is using it now.

Could you list out the use cases where this extension is useful for a TLS certificate? The discussion that Corey linked to (https://lists.cabforum.org/pipermail/validation/2021-July/001672.html<https://urldefense.com/v3/__https://lists.cabforum.org/pipermail/validation/2021-July/001672.html__;!!FJ-Y8qCqXTj2!bhb6QGSEpqEOi6JyHDzixLHA_ziEpOs6UQYkMiffRA4PH_9fFgyIiZRW3epCZqq0_V5K5pDehK6XTaH3PNBz1ibt$>) specifically says "... a TLS certificate [SKI] should not be needed ... ".

/hubert
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20221201/4cc85ec2/attachment.html>


More information about the Validation mailing list