Authority Information Access (AIA) extension in the certificates of Belgian eID

532 views
Skip to first unread message

Rodolphe Cardon

unread,
Mar 15, 2016, 3:51:08 AM3/15/16
to eID Middleware Dev
Hello,

This is probably not the best place for this post, but I don't know where to ask such questions about the PKI of the Belgian eID.

The authentication and signature certificates contain both a X509 v3 extension called Authority Information Access (AIA). The definition of this extension is included in the RFC 5280: 
The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears...

This extension is used for example by the Microsoft CryptoAPI to build the certificate chain when the intermediate certificates are not available. See the article https://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx
All possible certificate chains are built using locally cached certificates. If none of the certificate chains ends in a self-signed certificate, CryptoAPI then selects the best possible chain and attempt to retrieve issuer certificates specified in the authority information access extension to complete the chain. This process is repeated until a chain to a self-signed certificate is built. 

A good example is the signature of Microsoft Office document. Unless XAdES-X-L is used (XAdES level 5 in Microsoft Office), the certificate chain is not included in the signature, but the Microsoft CryptoAPI can retrieve the missing intermediate certificate (the citizen certificate) using this extension. The retrieved certificate will then be kept in cache for a while.

I'm wondering why this extension contains the URL of the Belgium Root certificate instead of the citizen certificate ? 
I think that this is a mistake in the PKI implementation of the Belgian eID, and that it could be fixed in the future :
  • The AIA extension of the signature and authentication MUST contain the URL of the Citizen CA (= the CA that issued the certificate)
  • The Citizen CA SHOULD have an AIA extension with the URL of the Belgium Root CA signed by CyberTrust Global Root. 
I hope this post will help to improve the Belgian PKI.

Kind regards,

Rodolphe Cardon

Frederik Vernelen

unread,
Mar 15, 2016, 4:01:29 AM3/15/16
to eID Middleware Dev
Hello Rodolphe,

Thank you for sharing us your findings.

I forwarded it to te responsible persons, and I'll bring it up in our next meeting.

Wkr,
 Frederik

--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Rodolphe Cardon

unread,
Apr 1, 2017, 3:15:43 PM4/1/17
to eID Middleware Dev
Any news?

Kind regards,
Rodolphe

Tim Bracke

unread,
Apr 25, 2017, 9:13:31 AM4/25/17
to eID Middleware Dev
Hi Rodolphe,

please check this post: https://groups.google.com/forum/#!topic/eid-middleware-dev/Eo6veeeB39U. We will adapt the AIA-attribute.

Thank you for your remark.

Regards,
TIm

Op zaterdag 1 april 2017 21:15:43 UTC+2 schreef Rodolphe Cardon:
Any news?

Kind regards,
Rodolphe

Reply all
Reply to author
Forward
0 new messages