[cabf_validation] RFC 5280 conflict for SKI in subscriber certificates
Paul van Brouwershaven
Paul.vanBrouwershaven at entrust.com
Wed Nov 30 20:36:15 UTC 2022
Section 126.96.36.199.6 (Subscriber Certificate Extensions) of the new certificate profiles state that the inclusion of the subjectKeyIdentifier is NOT RECOMMENDED, this contradicts section 188.8.131.52 (Subject Key Identifier) of RFC 5280 that states that entity certificates SHOULD include the SKI:
For end entity certificates, the subject key identifier extension
provides a means for identifying certificates containing the
particular public key used in an application. Where an end entity
has obtained multiple certificates, especially from multiple CAs, the
subject key identifier provides a means to quickly identify the set
of certificates containing a particular public key. To assist
applications in identifying the appropriate end entity certificate,
this extension SHOULD be included in all end entity certificates.
Looking at the data from Censys we also see that almost all end-entity certificates include the SKI:
(tags.raw: "precert" AND tags.raw: "trusted") AND NOT parsed.extensions.subject_key_id: * - Censys<https://search.censys.io/certificates?q=%28tags.raw%3A+%22precert%22+AND+tags.raw%3A+%22trusted%22%29+AND+NOT+parsed.extensions.subject_key_id%3A+%2A>
Can we align the profile with RFC 5280 and change the inclusion of the SKI to a SHOULD instead of the current NOT RECOMMENDED?
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Validation