Sorry, I should have marked my question as off-topic, especially since I was just curious. From your post and Scott's, it sounds like this isn't as tight as it ought to be.
Back on topic, I also have doubts about the wisdom of skipping signature verification. > -----Original Message----- > From: Steele Matthew [mailto:[EMAIL PROTECTED] > Sent: Monday, August 29, 2005 3:30 PM > To: security-dev@xml.apache.org > Subject: RE: How to uniquely identify a X509 Certificate ? > > The Online Certificate Status Protocol (OCSP - RFC 2560) handles these > issues by also requiring a hash of the issuer's public key to further > ensure proper identification of the issuer. This can be difficult > though since it usually requires a copy of the issuer's certificate. > But I would echo the concern earlier in the thread - you > shouldn't avoid > doing signature verification just because you have cached a > copy of the > certificate. > > Matt > > -----Original Message----- > From: Jesse Pelton [mailto:[EMAIL PROTECTED] > Sent: Monday, August 29, 2005 3:24 PM > To: security-dev@xml.apache.org > Subject: RE: How to uniquely identify a X509 Certificate ? > > This assumes, of course, that issuer names are unique. This is > obviously a desireable property of such names, and I've always assumed > that it's the case, but I don't know if there's any mechanism that > guarantees it. Is there a global registry of CAs or > something similar? > > > -----Original Message----- > > From: Werner Dittmann [mailto:[EMAIL PROTECTED] > > Sent: Monday, August 29, 2005 3:12 PM > > To: security-dev@xml.apache.org > > Subject: Re: How to uniquely identify a X509 Certificate ? > > > > There are several ways: > > the issuername/issuer serial will uniquely identify a > > certificate. Each issuer of a cert (a trusted certifcate > > authority, CA) will never use a serial number twice. Thus > > this compination is unique. > > > > Similar for Subject Key Identifier (SKI), available only > > in V3 certs, uniquely identifies a cert (AFAI RFC3288 > > describes the alog to compute the SKI, its a SHA-1 hash > > of the subject's public key. > > > > Regards, > > Werner > > > > Tech Rams wrote: > > > Couple of points actually > > > 1. Not sure how you can avoid signature verification - > > > the very reason a signature is provided is to ensure > > > that data is not modified on the way (plus sender > > > authentication). This means you will have to verify > > > the signature for every message you receive. > > > > > > 2. one way to uniquely identify a certificate is using > > > the issuer's DN and serial #. You can get that info > > > from the certificate. If it is a V3 certificate you > > > can also use Subject Key Identifier along with the > > > Subject DN. But I am not sure that could be unique > > > across certificates issued to the same DN across > > > multiple CAs. If that risk is not there, you can use > > > that. > > > > > > > > > > > > > > > --- Miha Vidmar <[EMAIL PROTECTED]> wrote: > > > > > > > > >>Hi, > > >> > > >>I'm having a similar sort of a problem, only I'm > > >>validating certificate > > >>chains. > > >> > > >>A unique identifier for certificates could be Issuer > > >>and certificate serial > > >>number and are relatively easy to obtain. > > >> > > >>For you i would recommend comparing Issuer.SubjectDN > > >>and current certificate > > >>serial number. But it's not 100% safe, since > > >>multiple CA's can have the same > > >>SubjectDN (not likely, unless somebody is trying to > > >>hack). I have yet to > > >>figure out how to compare Certificate Authority Key > > >>Identifiers, which would > > >>be safe to use. > > >> > > >>Miha > > >> > > >>-----Original Message----- > > >>From: Kr [mailto:[EMAIL PROTECTED] > > >>Sent: Monday, August 29, 2005 3:24 PM > > >>To: security-dev@xml.apache.org > > >>Subject: How to uniquely identify a X509 Certificate > > >>? > > >> > > >>Hi All, > > >> > > >>Basically I am doing the w3c's > > >>xml-signature-verification-process for a web > > >>service on the sevrver side. For this I extract the > > >>certificate from the > > >>signature and compare it between requests. Say if I > > >>get the request for the > > >>first time then I'll extract the certificate as > > >>bytes and compute the > > >>message digest and put it in a java HashMap as key > > >>(key being Certificates's > > >>SubjectDN) value object. Next time when the same > > >>request comes then I'll > > >>repeat the above process and compare the digest with > > >>the HashMap values and > > >>if a match is found then I would avoid signature > > >>verifiation process. Using > > >>all this I want to save the time consumed by > > >>xml-signatuere verification > > >>process. > > >> > > >>Now my question is, how to uniquely identify a > > >>certificate. If I open the > > >>X509 Version 3 Certificate using tools like java > > >>keytool, KeyStore Explorer > > >>then I can MD5-Fingerprint and SHA1-Fingerprint and > > >>I guess these are unique > > >>to a certficate. Are these fingerprints unique for a > > >>certificate ? If my > > >>understanding is correct then are there any java > > >>API's available for us to > > >>extract these fingerprints and help me in uniquely > > >>identifying the > > >>certificates. > > >> > > >>Please suggest ... > > >> > > >> > > >>Thanks & Regards, > > >>Kr. >
