Hi, Mike Helm wrote:
Scott Rea writes:
Using AKI is definitely recommended for Bridging - it makes it easier to discover appropriate paths. The SURA documentation is not advising against this, they are in fact recommending that you do use it - but use the keyid version rather than the dirname version.
I believe we are (or should be) recommending the same thing in the profile;
ACK
the directory name version usage has led to problems with CA key rollover.
Well if the key of the authority changes the hash variant of the AKI is changing too. IMO it was not the key rollover, it was the reissuing of a CA cert with e.g. an extended lifetime or a different signing hash (md5 towards sha1) which was easier with the hash AKI. In this case the serial number could be changed without effect to the evaluation of preexisting certification paths. The changed CA cert could just be replaced. -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737