Noncompliant D1 certificate for 2015 edition?

[Luis Maas]

Hello DCDT team,

The following has been identified with the latest DCDT 2015 edition certificates:

The current 2015 DCDT root certificate (dcdt31prod.sitenv.org_ca_root) lists the following Subject Key Identifier:

d0 04 29 53 f4 b3 4e 91 db 75 52 df f5 0e 52 9c 3c ae fb 97 27 f8 73 7d 19 a3 06 28 f5 bc d0 92

However, the D1_valA cert currently discovered for 2015 test D1 lists the following Authority Key Identifier:

KeyID=7d 30 35 00 8a e6 03 ef 7a 20 5d 12 f7 a4 7c 57 5f 90 88 2c 

These do not match so this is noncompliant with RFC5280:

From RFC 5280 Section 4.2.1.2:

   ... In conforming CA certificates, the value of the
   subject key identifier MUST be the value placed in the key identifier
   field of the authority key identifier extension (Section 4.2.1.1) of
   certificates issued by the subject of this certificate. ...

Although applications are not required to verify that key identifiers match when performing certificate path validation, those that do perform this check will reject the DCDT certificate chain.

Luis