On Sun, Feb 26, 2006, Dr. Stephen Henson wrote: > On Sun, Feb 26, 2006, Erwann ABALEA wrote: > > > The CA has the possibility to change the name of the issued > > certificate, by adding a random element (a kind of serial number), but > > this isn't usually well percieved (the customer always asks for > > clarification about this random stuff added to his identity), and it > > prevents an end-user to renew a certificate with the same exact > > identity (since this will render the counter-measure useless). > > > > > > >From my understanding of the collision a non-critical extension would be > another place but people would of course ask what it was for. >
My recollection of the collision construction was faulty. Non critical extensions wouldn't do because they would appear after the public key. The construction only needs to be able to predict everything before the public key portion of a certificate: it can use whatever the CA provides afterwards as long as it is the same in the two certificates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
