RFC 8410, "Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure", August 2018Source of RFC: curdle (sec)
Errata ID: 6229
Publication Format(s) : TEXT
Reported By: David von Oheimb
Date Reported: 2020-07-12
Section 10.2 says:
An example of a self-issued PKIX certificate using Ed25519 to sign an X25519 public key would be
The given example certificate is self-issued but not self-signed (which is fine because its public key cannot be used for signing).
It includes a subjectKeyIdentifier but not an authorityKeyIdentifier.
For not self-signed certificates RFC 5280 requires in section 18.104.22.168 (https://tools.ietf.org/html/rfc5280#section-22.214.171.124) that the authorityKeyIdentifier is present.
Thus for such an example certificate the authorityKeyIdentifier MUST be added in order to be a conforming certificate.
Otherwise, cert chain validation will be mislead to assume that the certificate is self-signed (while usually not actually verifying this supposition).