Re: SQL DB instead of index.txt

Fri, 01 Feb 2002 04:03:09 -0800 

From: Bear Giles <[EMAIL PROTECTED]>

bear> Of course, this opens the whole can-o-worms of "what constitutes
bear> a duplicate cert?"  Is it an exact match, or matching I+SN, or
bear> some other criteria?

Depending on who you listen to, one could say it's the subject, others
will say it's issuer+serial.  It all depends on if you want to keep
the history of a specific subject or not.  This is of course taken
from a X.500 directory perspective (where things were intended to be
stored by subject, I believe (I'm sure Oscar will correct me if I'm
wrong :-))).

bear> > Trust, BTW, could rather easily be handled by attaching internal
bear> > attributes to certificates with extra information.  Those attributes
bear> > are not part of the certificate itself, of course.  Was that
bear> > approximately the way you saw this being done as well?
bear> 
bear> What will this do to the whole-cert hash value?

Absolutely nothing.  Those attributes would be part of the atabase
record, not part of the certificate itself (which incidently can be
viewed as another attribute of that record, if you generalise things a
bit, and I think that's how things are done in, for example LDAP).

bear> (I assume that the whole-cert hash is computed as the SHA-1 hash on 
bear> the ASN.1 encoding of the cert... something that I can compute with 
bear> ASN1_write_bio(), a mem BIO and a sha1 BIO.  Or by another library
bear> crunching on an DER-encoded certificate in the underlying database.)

I assume the same.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-733-72 88 11
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, GemPlus:             http://www.gemplus.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to