On 05/05/15 16:55, David Woodhouse wrote:
On Mon, May 4, 2015 1:25 pm, David Woodhouse wrote:
>>>>>> Hm... so if I have two certificates; one with:
>>>>>> CKA_SUBJECT: "My CA"
>>>>>> CKA_LABEL: "My CA (2010 instance)"
>>>>>> and the other:
>>>>>> CKA_SUBJECT: "My CA"
>>>>>> CKA_LABEL: "My CA (2015 instance)"
Surely that's not unique? Using the above example, surely the first
certificate issued by the 2010 instance of 'My CA', and the first
certificate issued by the 2015 instance, are both going to have
identical CKA_ISSUER and CKA_SERIAL_NUMBER, aren't they?
[My confusion over CA and ancestor CA serials elided.]
I'm talking about the serial numbers of the certs issued *by* the two
"My CA"s.
Let's assume each CA starts at '1' — that in each case the
CKA_SERIAL_NUMBER of the first cert issued *by* 'My CA' is "1".
Now, since each of those CAs issues a cert with CKA_SERIAL_NUMBER="1",
and in both cases the CKA_ISSUER of that issued cert is 'My CA', that
means the combination of CKA_ISSUER and CKA_SERIAL_NUMBER does *not*
uniquely identify a certificate, surely?
(Unless the two CAs in question are expected to use *disjoint* number
spaces for the CKA_SERIAL_NUMBER of certificates that they themselves
issue?)
My reaction is that if there are two different CAs, there ought to be
two different issuers, and if there is one CA using two different
certificates, it ought to use disjoint spaces for the serial numbers.
(And if there were two issuers, presumably the subjects in the initial
example would have been different.)
But I would be totally unsurprised to find that reality doesn't work
like that...
My employer has a habit of creating new CAs with the same subject as
old ones. So I've dealt with a number of bugs where validation fails
because some piece of code assumes that it can find the issuer of a
given certificate by looking for the first CA in the database whose
CKA_SUBJECT matches the CKA_ISSUER of the certificate in question.
Oh look, reality doesn't always work like I think it should.
Guess how unsurprised I am :-)
--
http://www.brocade.com/products/all/application-delivery-controllers/index.page
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
