Warwick,
pursuant to comments on the ANSI draft of extensions of the public key
infrastructure you shared with the community:-
4.2.1 offers a definition of an authority key
AuthorityKeyIdentifier EXTENSION ::= {
SYNTAX AuthorityKeyId
CRITICAL FALSE
IDENTIFIED BY { OID TBA } }
AuthorityKeyId ::= SEQUENCE {
keyIdentifier KeyIdentifier OPTIONAL,
certIssuer Name OPTIONAL,
certSerialNumber CertificateSerialNumber
OPTIONAL }
KeyIdentifier ::= OCTET STRING
whose purpose it is to aid the identification of verification keys to
be used during certificate validation.
The nature of the text suggests that certIssuer and certSerialNumber are a
pair of items constituting an atomic identifier.
For the sake of future interworking practices, and scoping the options
down to those intended, might we simply change the syntax in a minor
way:-
AuthorityKeyId ::= SEQUENCE {
keyIdentifier KeyIdentifier OPTIONAL,
certIdentifier CertIdentifier OPTIONAL
-- if both fields are present, then the issuer of the referenced by
-- certIdentifier should ensure consistent registration of both
identifiers
}
CertIdentifier ::= SEQUENCE {
certIssuer Name,
certSerialNumber CertificateSerialNumber
}
The example being, "I am constrained to issue a PMSP/MOSAIC certificate
only whose KMID prefix (as a partial instance of KeyIdentifier) has a
value semantically consistent with the name of the issuer (referred to
as certIssuer)." That is, there are registration policy rules to which
the authority is accountable which back the binding of KMID forms to
DISA(DoD)-registered Names, in this cryptosystem and operational domain example.
Generically, this requirement is covered by the comment above.