On Fri, Feb 10, 2006, Kyle Hamilton wrote:

> I haven't checked the archives, but if I'm not mistaken, it's because
> it's (presumably) the rootCA that is the original trusted authority
> (the 'trust anchor'), and thus the authorityKeyIdentifier is the
> anchor rather than the CA that derives its trust from the anchor?

Suppose we have a chain ...A->B->C

If certificate C contains the authority key identifier AKID.

The purpose of the AKID is to identify the issuing authority B.

If can do this in one of two ways. It either be by key identifier or by issuer
and serial number (which has to be unique).

Since it is identifying B it contains the issuer name and serial number of B.

The issuer name of B is of course also the subject name of A, which doesn't
have to be a root CA.

In any case if the extension (wrongly) contained the subject name of B
that would be redundant since that matches the issuer name of A.

> (Also: if the question has been asked quite a few times before, why
> isn't the answer in the FAQ?)

It hadn't quite reached the threshold for inclusion in the FAQ. I'd say it
probably has now...

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org