Re: [OpenCA-Devel] Multiple certs with same DN?

Wed, 06 Jun 2001 04:08:51 -0700 

"Dr. Donal O'Mahony" schrieb:
> 
> Are there not many cases where one would want to issue multiple certs
> with the same DN (and different serial numbers) e.g. seperate signing
> and encryption certs, re-issue of a cert that had been revoked etc.

OpenSSL supports re-issue of a cert after the revocation of this cert.
If you have seperate keys for encryption and signing then you must have
different DNs if you use openssl and we use openssl.

The usage of keys is only dependend from the extensions so it should be
possible to use different DNs if you know the PINs of the private keys.
It's only a question of the software because the most rograms don't
support seperate keys..
 
> Is it only openssl that would need to be changed to allow this?  Or
> is the way OpenCA does the indexing in the DBM file the crucial thing?

It is openssl that doesn't allow multiple certs with the same DN. OpenCA
uses the serial number (if the object is a cert) or hashes (if the
object is a request, CRR ...)

We have a long disussion about this problem and our solution was the
following:

* include a serial number into the DN which is not the serialNumber
* this special serial number in the DN could be used to store
  the number of the issued certs of this person
* Entrust a very similar solution but they use SN for this. We are
  looking for an attribute which has the meaning of a serial number
  and is perhaps different from serialNumber.

The code is actually not written because the 0.8.0-version has the
highest priority. This version demonstrate the final design before we
start with 0.9.x.

Massimiliano - what is with 0.8.0 ? ;-D
Should we create a new subtree in the CVS called openca-0.8 to enforce
development for the stable version? (tar -xvf openca-0.8.0-beta.tar; cvs
add openca-0.8; cvs commit openca-0.8/* ...)

Regards Michael
 
----------------------------------------------------------------------------
Michael Bell                             Email: [EMAIL PROTECTED]
Rechenzentrum - Datacenter        Email (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin       Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6                  Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany                                              [OpenCA Core
Developer]

http://openca.sourceforge.net

Kryptographische Unterschrift mit S/MIME

Reply via email to