> OpenSSL currently thinks that the DN can be used as a primary key for
> certificates
Yeah, that's way too simple-minded.
> One first step to make things right is to use the DN
> plus any key identifier that may be available
The nice thing about key (and/or cert) identifiers is that there's so many
to choose from. To steal a phrase. :)
> Possibly it makes sense to stop searches at
> the first matching certificate that is valid according to the system
> clock
That won't work. It's common practice to issue certs with overlapping
validity periods. And if the key is on tamper-evident hardware, there's
no reason not to recertify the same keypair.
> we'd just claim it's their fault alone.
Unfortunately it'd be "our" fault alone.
The only really valid search key is <subject,issuer,serial>
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
