For Brian Komar / David B. Cross

[Rudy Hartono]

Hi Brian / David,

I read a white paper which was published on November 2003 titled
"Troubleshooting Certificate Status and Revocation".

From the White Paper:

Exact match. If the AKI extension contains the issuer’s user
name and issuer serial number, only certificates that match on user
name and serial number will be chosen in the chain building process.
As a further test, the issuer name on the issued certificate must
match the subject name on the issuer certificate. Figure 8 shows a
certificate where exact matching was used to find the issuer’s
certificate. Note that the subject and serial number in the AKI
extension in the left hand certificate match the Serial number and
Subject of the certificate on the right.

But actually on the picture the subject in the AKI extension in the
left hand certificate does not match the Subject of the certificate on
the right.

Regards,


Rudy

 

[David Cross [MS]]

I agree that Figure 8 is misleading. It attempts to show that an
intermediate CA is issued by a root and an exact match exists.

 

[Rudy Hartono]

Hi David,

What do you mean by the Figure 8 is misleading ?

The picture is misleading or the word explaining the picture is misleading ?

Regards,


Rudy

 

[Brian Komar]

Hi David,

What do you mean by the Figure 8 is misleading ?

The picture is misleading or the word explaining the picture is misleading ?

Regards,


Rudy

Sorry about that folks, I have an earlier draft where the figure was
correct, but that is just an excuse. The description is correct. If an
exact match is used, the subordinate CA's certificate will have an AKI
extension with the subject of the issuing CA certificate and the serial
number of the issuing CA certificate.

The issuing CA certificate will have a matching subject and a matching
serial number.

With apoligies,
Brian

 

[Rudy Hartono]

Hi Brian / David,

I have made a query before about the AKI extension on the forum and it
was answered by Vishal. Below is the link:

http://groups.google.com.sg/[email protected]&rnum=1

I found out that the explanation you give on the white paper is
contradicting with the one give by Vishal. Can you clarify this ?

Regards,


Rudy

 

[Brian Komar]

Hi Brian / David,

I have made a query before about the AKI extension on the forum and it
was answered by Vishal. Below is the link:

http://groups.google.com.sg/[email protected]&rnum=1

I found out that the explanation you give on the white paper is
contradicting with the one give by Vishal. Can you clarify this ?

Regards,


Rudy

<snip?

It is not really a contradiction. Remember that the whitepaper describes
what we do with the MS CA. The certificate that Vishal is addressing,
which is causing failure by the win2k chaining engine has three pieces
of information in the AKI (which is allowed when you look at RFC 3280,
section 4.2.1.1).

The two chaining engines do *not* work the same. Enhancements were made
to Windows XP, hence it is smart enough to see the hash value in the AKI
and correctly build the chain.

WIndows 2000 sees that there is info for an exact match, so that is what
it does.

Brian