Victor Probo wrote: > > > Robert Relyea wrote: > >> Because the issuer is not part of the subject's identity. If the cert > > > If you remember back to your posting of 11/15/01 you pointed out: > "You will notice that in fact Baltimore and Verisign do not > issue certs with the same DN both CA's add a organization > string in the DN which is unique to them. (enforceable in > this case under trademark law;)." > > This organizational string makes the two certs *NOT* the same entity; > doesn't it?
Yes. CA's work very hard to make sure the don't issue certs with the same DN because their certs are supposed to represent different identities. (and have semantic differences). The only way you can get in the position we were describing (same subject, different issuers) is if 1) there was a purposeful attempt to convert an identity from one CA to another, or 2) someone is trying to build up their own PKI infrastructure, ingoring the esisting standards. bob > >> has the same subject and different issuers it is still considered part >> a cert for the same entity. This is how cross certification works. >> (The CA cert has the same subject, but may have different issuers). >> >>