[cabf_validation] RFC 5280 conflict for SKI in subscriber certificates

Corey Bonnell Corey.Bonnell at digicert.com
Wed Nov 30 21:13:46 UTC 2022

Hi Paul,

This was brought up by Aneta on a July 2021 call [1], where Ryan (S.)
presented the rationale for the current "NOT RECOMMENDEND" language. I'll
raise your question on tomorrow's call for discussion.





[1] https://lists.cabforum.org/pipermail/validation/2021-July/001672.html


From: Validation <validation-bounces at cabforum.org> On Behalf Of Paul van
Brouwershaven via Validation
Sent: Wednesday, November 30, 2022 3:36 PM
To: CABforum3 <validation at cabforum.org>
Subject: [cabf_validation] RFC 5280 conflict for SKI in subscriber


Section (Subscriber Certificate Extensions) of the new certificate
profiles state that the inclusion of the subjectKeyIdentifier is NOT
RECOMMENDED, this contradicts section (Subject Key Identifier) of
RFC 5280 that states that entity certificates SHOULD include the SKI: 

   For end entity certificates, the subject key identifier extension 

   provides a means for identifying certificates containing the 

   particular public key used in an application.  Where an end entity 

   has obtained multiple certificates, especially from multiple CAs, the 

   subject key identifier provides a means to quickly identify the set 

   of certificates containing a particular public key.  To assist 

   applications in identifying the appropriate end entity certificate, 

   this extension SHOULD be included in all end entity certificates. 


Looking at the data from Censys we also see that almost all end-entity
certificates include the SKI: 

"precert" AND tags.raw: "trusted") AND NOT parsed.extensions.subject_key_id:
* - Censys 

Can we align the profile with RFC 5280 and change the inclusion of the SKI
to a SHOULD instead of the current NOT RECOMMENDED? 



Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20221130/90b2bc38/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20221130/90b2bc38/attachment.p7s>

More information about the Validation mailing list