On Sat, Feb 25, 2006, Kyle Hamilton wrote: > On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > > It was introduced as a bug fix to stop OpenSSL producing invalid > > certificates > > under certain circumstances. > > > > A clarification indicated that zero was considered an invalid serial number. > > "serialNumber: A unique positive integer." At least I think. >
The type of serialNumber that should be accepted doesn't place any limits on the sign. RFC3280 places restrictions on what a CA should generate. It says it must be "non-negative" at one point which is >= 0. In another place it states that zero or negative in invalid i.e. >0 is valid. > > Issuing certificates with duplicate issuer and serial numbers is illegal and > > can cause strange problems which are difficult to diagnose. > > let's see... you're talking about the authorityKeyIdentifier? I > thought that that went up 2 steps up the tree and then gave a serial > number of cert issued by that CA. > > And I'm trying to parse this more effectively, can you tell me if you > meant something other than: "A CA that issues certificates cannot > issue a certificate that has the same serial number as its own serial > number"? This suggests that the CA's serial number is imported into > the context of its own signatures' serial numbers, even when it's a > sub-CA? > It is the combination of issuer name + serial number which must be unique in general: that's enforced by several standards. Certain pieces of software assumes that issuer name + serial number can be used as a unique index and can cause all manner of problems if that turns out not to be the case. An obvious consequence is that a CA cannot sign different certificates with the same serial number. Whether a CA can sign a certificate with its own serial number depends on the CA. If the CA has the same issuer name and subject name then it has effectively "issued itself" (the term "self issued" is sometimes used) so it cannot sign a further certificate with its serial number. In the case of CAs with different issuer and subject names that isn't the case and it can issue a certificate with its own serial number. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
