need to any more. Nowadays web browsers using unrestricted strong encryption
are generally available.
-When there were tight export restrictions on the export of strong encryption
+When there were tight restrictions on the export of strong encryption
software from the US only weak encryption algorithms could be freely exported
(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation the rules allowed the use of strong encryption but
+inadequate. A relaxation of the rules allowed the use of strong encryption but
only to an authorised server.
Two slighly different techniques were developed to support this, one used by
encryption so these certificates are now obsolete.
-* Why does OpenSSL set the authority key identifier AKID) extension incorrectly?
+* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
It doesn't: this extension is often the cause of confusion.
-Consider a certificate chain A->B->C so that A signs, B and B signs C. Suppose
+Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
certificate C contains AKID.
The purpose of this extension is to identify the authority certificate B. This
In this latter case because it is identifying certifcate B it must contain the
issuer name and serial number of B.
-It is often wrongly assumed that it should contain the issuer name of C. If it
+It is often wrongly assumed that it should contain the subject name of B. If it
did this would be redundant information because it would duplicate the issuer
name of C.
projects / openssl.git / blobdiff