[Top] [All Lists]

RE: Request change in son-of-rfc2633

2003-10-28 15:44:10

-----Original Message-----
From: Russ Housley [mailto:housley(_at_)vigilsec(_dot_)com] 
Sent: Tuesday, October 28, 2003 5:47 AM
To: Peter Gutmann; blake(_at_)brutesquadlabs(_dot_)com; 
jimsch(_at_)exmsft(_dot_)com; pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: RE: Request change in son-of-rfc2633

I disagree.  Key identifiers are much smaller than <issuer 
name, serial number>. When the key identifiers are computed 
from the public 
key (as is recommended by RFC 3280), the likelihood of collision is 
acceptably small. Further, if there is a collision, an 
implementation can 
try the very small number of public keys that have the same 

I think that the direction that's on the table is to clarify that
lookups by SubjectKeyIdentifier may yield more than one certificate, and
implementations should be prepared for that and not freak out and panic
the user.