[cabf_validation] RFC 5280 conflict for SKI in subscriber certificates

Paul van Brouwershaven Paul.vanBrouwershaven at entrust.com
Wed Nov 30 20:36:15 UTC 2022


Section 7.1.2.7.6 (Subscriber Certificate Extensions) of the new certificate profiles state that the inclusion of the subjectKeyIdentifier is NOT RECOMMENDED, this contradicts section 4.2.1.2 (Subject Key Identifier) of RFC 5280 that states that entity certificates SHOULD include the SKI:
   For end entity certificates, the subject key identifier extension
   provides a means for identifying certificates containing the
   particular public key used in an application.  Where an end entity
   has obtained multiple certificates, especially from multiple CAs, the
   subject key identifier provides a means to quickly identify the set
   of certificates containing a particular public key.  To assist
   applications in identifying the appropriate end entity certificate,
   this extension SHOULD be included in all end entity certificates.

Looking at the data from Censys we also see that almost all end-entity certificates include the SKI:
(tags.raw: "precert" AND tags.raw: "trusted") AND NOT parsed.extensions.subject_key_id: * - Censys<https://search.censys.io/certificates?q=%28tags.raw%3A+%22precert%22+AND+tags.raw%3A+%22trusted%22%29+AND+NOT+parsed.extensions.subject_key_id%3A+%2A>
Can we align the profile with RFC 5280 and change the inclusion of the SKI to a SHOULD instead of the current NOT RECOMMENDED?
Paul

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20221130/c5db05aa/attachment-0001.html>


More information about the Validation mailing list