I'm not that keen on the phrase ritual compliance. There is a lot of PKI code in the world that assumes that issuer/serial is a unique identifier for a good X.509 certificate.
It'd be best to not break such code by invalidating that assumption. If there's a good enough reason to do it, that might be ok, but I figure the burden to demonstrate that that is in fact ok should be on those arguing for such a change. S. PS: No hats, just a comment:-) _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
