Difference between revisions of "Subject Key ID"
(Created page with "==Full Title== The subject key identifier (SKID or ski depending on use) is an x509 extension and thus actually part of the certificate. ==Context== The fingerprint instead...") |
(→Solutions) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==Context== | ==Context== | ||
| − | + | The fingerprint is not part of the certificate but instead computed from the certificate. A certificate does not need to have an SKID at all and can have at most one SKID. But since the fingerprint is just a computed from the certificate there can be multiple fingerprints, like one using SHA-1, one using SHA-256, one using MD5 ... | |
The SKID is used to create the trust chain not based on the certificate subject and issuer but on the certificate SKID and authority key identifier (AKID). This makes it easier to deal with situations where the same subject string is used with multiple CA certificates. While the RFC 3280 describes common ways to generate SKID the only real requirement is that the SKID of the CA certificate must match the AKID in all certificates issued by this CA. | The SKID is used to create the trust chain not based on the certificate subject and issuer but on the certificate SKID and authority key identifier (AKID). This makes it easier to deal with situations where the same subject string is used with multiple CA certificates. While the RFC 3280 describes common ways to generate SKID the only real requirement is that the SKID of the CA certificate must match the AKID in all certificates issued by this CA. | ||
| Line 17: | Line 17: | ||
X509v3 Authority Key Identifier: | X509v3 Authority Key Identifier: | ||
keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 | keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 | ||
| − | |||
---- | ---- | ||
| − | |||
... | ... | ||
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority | Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority | ||
| Line 28: | Line 26: | ||
X509v3 Subject Key Identifier: | X509v3 Subject Key Identifier: | ||
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 | BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 | ||
| + | |||
| + | ==Problems== | ||
| + | The SKID is a key id, not a certificate ID and so the SKID (as a rule) is calculated from the Subject and Public Key while the fingerprint is generated from the whole certificate. If a certificate is renewed, its SKID will stay the same, while its fingerprint will change. The SKID remains the same only when key pair is reused during renewal. If new key pair is generated, as happens when the key is rolled, it will produce new SKID value, | ||
| + | ==Solutions== | ||
| + | So there are several levels of ID that an [[Entity]] might exhibit. | ||
| + | # The Entity ID which could survive even a change in cryptographic method. | ||
| + | # The [[Decentralized ID]] (did) which can survive a key rollover if the method enabled it. | ||
| + | # The SKID which could survive the issuance of a new certificate if the key were not rolled. | ||
| + | # The Certificate Fingerprint which is, essentially, a certificate GUID. | ||
| + | |||
| + | Also note that an [[Entity]] could very well have multiple dids or keys to support different business purposes. | ||
==References== | ==References== | ||
| + | * [https://security.stackexchange.com/questions/200295/the-difference-between-subject-key-identifier-and-sha1fingerprint-in-x509-certif#:~:text=The%20subject%20key%20identifier%20%28SKID%29%20is%20an%20x509,all%20and%20can%20have%20at%20most%20one%20SKID. The difference between Subject Key Identifier and sha1Fingerprint in X509 Certificates] | ||
[[Category: Standard]] | [[Category: Standard]] | ||
Latest revision as of 15:09, 9 September 2021
Full Title
The subject key identifier (SKID or ski depending on use) is an x509 extension and thus actually part of the certificate.
Context
The fingerprint is not part of the certificate but instead computed from the certificate. A certificate does not need to have an SKID at all and can have at most one SKID. But since the fingerprint is just a computed from the certificate there can be multiple fingerprints, like one using SHA-1, one using SHA-256, one using MD5 ...
The SKID is used to create the trust chain not based on the certificate subject and issuer but on the certificate SKID and authority key identifier (AKID). This makes it easier to deal with situations where the same subject string is used with multiple CA certificates. While the RFC 3280 describes common ways to generate SKID the only real requirement is that the SKID of the CA certificate must match the AKID in all certificates issued by this CA.
In the example below it can be clearly seen that the SKID BB:AF:7E:02:3D:FA:... of the issuer matches the AKID of the issued certificate:
...
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
...
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
...
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
----
...
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
...
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
...
X509v3 extensions:
X509v3 Subject Key Identifier:
BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4
Problems
The SKID is a key id, not a certificate ID and so the SKID (as a rule) is calculated from the Subject and Public Key while the fingerprint is generated from the whole certificate. If a certificate is renewed, its SKID will stay the same, while its fingerprint will change. The SKID remains the same only when key pair is reused during renewal. If new key pair is generated, as happens when the key is rolled, it will produce new SKID value,
Solutions
So there are several levels of ID that an Entity might exhibit.
- The Entity ID which could survive even a change in cryptographic method.
- The Decentralized ID (did) which can survive a key rollover if the method enabled it.
- The SKID which could survive the issuance of a new certificate if the key were not rolled.
- The Certificate Fingerprint which is, essentially, a certificate GUID.
Also note that an Entity could very well have multiple dids or keys to support different business purposes.
