-----Original Message-----
From: Russ Housley [mailto:housley(_at_)vigilsec(_dot_)com]
Sent: Tuesday, October 28, 2003 5:47 AM
To: Peter Gutmann; blake(_at_)brutesquadlabs(_dot_)com;
jimsch(_at_)exmsft(_dot_)com; pgut001(_at_)cs(_dot_)auckland(_dot_)ac(_dot_)nz
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: RE: Request change in son-of-rfc2633
I disagree. Key identifiers are much smaller than <issuer
distinguished
name, serial number>. When the key identifiers are computed
from the public
key (as is recommended by RFC 3280), the likelihood of collision is
acceptably small. Further, if there is a collision, an
implementation can
try the very small number of public keys that have the same
identifier.
I think that the direction that's on the table is to clarify that
lookups by SubjectKeyIdentifier may yield more than one certificate, and
implementations should be prepared for that and not freak out and panic
the user.
Blake