Assuming an audit is done in the future, how do you identify the issuer certificate? I thought that subject name alone does not guarantee uniqueness. That is the point--if I understand it correctly :-)--of having a serial number. Subject and serial together provide uniqueness.
Otherwise how would you find the issuer certificate at a later date without being able to provide the CA with the serial number of the certificate you wish to verify against? Besides that, <X509SerialNumber> is contained within the <X509IssuerSerial> node! Why would that refer to anything BUT the issuer data? -----Original Message----- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: Thursday, September 02, 2004 11:57 AM To: Wes Thomas Cc: [EMAIL PROTECTED] Subject: Re: FW: X509SerialNumber No, I think you are mistaken. "Issuer serial" is the serial number of this certificate and it is unique for all certificates from this issuer. Thus the certificate can be identified by the issuer name and the "issuer serial number" of the certificate. Aleksey Wes Thomas wrote: > Does the X509SerialNumber node within the X509IssuerSerial node, *NOT* > refer to the serial number for the issuer certificate? > <X509IssuerSerial> > <X509IssuerName>My CA for Certificate A</X509IssuerName> > <X509SerialNumber>12345678</X509SerialNumber> > </X509IssuerSerial> > > The way I read > http://www.w3.org/TR/2000/WD-xmldsig-core-20000510/#sec-X509Data and > the example they give (listed above), the X509SerialNumber should > contain the issuer's serial number, NOT the serial number of the > certificate used for signing. Is this correct? _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
