From: Bear Giles <[EMAIL PROTECTED]> bear> Of course, this opens the whole can-o-worms of "what constitutes bear> a duplicate cert?" Is it an exact match, or matching I+SN, or bear> some other criteria?
Depending on who you listen to, one could say it's the subject, others will say it's issuer+serial. It all depends on if you want to keep the history of a specific subject or not. This is of course taken from a X.500 directory perspective (where things were intended to be stored by subject, I believe (I'm sure Oscar will correct me if I'm wrong :-))). bear> > Trust, BTW, could rather easily be handled by attaching internal bear> > attributes to certificates with extra information. Those attributes bear> > are not part of the certificate itself, of course. Was that bear> > approximately the way you saw this being done as well? bear> bear> What will this do to the whole-cert hash value? Absolutely nothing. Those attributes would be part of the atabase record, not part of the certificate itself (which incidently can be viewed as another attribute of that record, if you generalise things a bit, and I think that's how things are done in, for example LDAP). bear> (I assume that the whole-cert hash is computed as the SHA-1 hash on bear> the ASN.1 encoding of the cert... something that I can compute with bear> ASN1_write_bio(), a mem BIO and a sha1 BIO. Or by another library bear> crunching on an DER-encoded certificate in the underlying database.) I assume the same. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]