From BlakeR(_at_)deming(_dot_)com Fri Jan 23 17:09:37 1998
I really do see your point John, and I agree about the bloat and
additional storage requirements, which is why I suggested the choice
between the identifier and the certificate itself. The most important
thing to me is to make sure that in the event that this (potentially
critical) extension is present, that there is a way to make sure that
the certificate to which it refers is present also.
I will say that your comments have me leaning towards not having the
entire cert inside.
Blake
How about the PKCS#7 keyID?
KeyID ::= CHOICE {
x509IssuerAndSerialNumber
[ 0 ] EXPLICIT IssuerAndSerialNumber,
-- X.509 cert.issuer and cert.serial no.
x509KeyID [ 1 ] EXPLICIT X509KeyID,
publicKeyInfo [ 2 ] EXPLICIT SubjectPublicKeyInfo,
-- Raw public key info,
internalID [ 3 ] EXPLICIT INTEGER, -- Internal ref.used by this PDU
otherID [ 4 ] EXPLICIT OtherID,
}
To shamelessly cut and paste a message as sent by Peter Gutmann (on an
entirely different issue) ...
-- Chen Wang, NetDox