[Top] [All Lists]

RE: Request change in son-of-rfc2633

2003-10-28 16:19:52

No problem.

At 02:44 PM 10/28/2003 -0800, Blake Ramsdell wrote:
> I disagree.  Key identifiers are much smaller than <issuer
> distinguished
> name, serial number>. When the key identifiers are computed
> from the public
> key (as is recommended by RFC 3280), the likelihood of collision is
> acceptably small. Further, if there is a collision, an
> implementation can
> try the very small number of public keys that have the same
> identifier.

I think that the direction that's on the table is to clarify that
lookups by SubjectKeyIdentifier may yield more than one certificate, and
implementations should be prepared for that and not freak out and panic
the user.