Thanks for all your replies! I do wish the spec would be a little more clear... but I'm sure that's by design :-)
-----Original Message----- From: Rich Salz [mailto:[EMAIL PROTECTED] Sent: Sunday, September 05, 2004 10:33 PM To: Wes Thomas Cc: [EMAIL PROTECTED] Subject: Re: [xmlsec] RE: FW: X509SerialNumber > Assuming an audit is done in the future, how do you identify the > issuer certificate? Not to be flip, but that's the issuer's problem. If the issuer wants to ensure that it is properly identified, it must arrange to put some kind of identifier in the certificates that it creates. Yes, you can > I thought that subject name alone does not guarantee uniqueness. That > is the point--if I understand it correctly :-)--of having a serial > number. Subject and serial together provide uniqueness. No they don't. Two different CA's can issue a certificate with the name subjectDN and serialNumber. The *only* guaranttee X509 makes about uniqueness is that a CA will never issue two different certificates with the same serial number. So issuer/serial# uniquely identifies an issued certificate. How do you uniquely identify the CA? Often, just verifying the signature in the cert is enough. But if the same CA has multiple certs, then you have to recurse and get the CA's issuer/serial#, and so on. > Otherwise how would you find the issuer certificate at a later date > without being able to provide the CA with the serial number of the > certificate you wish to verify against? Before deciding to trust a cert, you have to already have accepted the issuer's certificate. Or somewhere up the chain. That's kinda how PKI works. > Besides that, <X509SerialNumber> is contained within the > <X509IssuerSerial> node! Why would that refer to anything BUT the issuer data? Because that's not the way it works. To uniquely a identify a cert issued by ca "c=us,dn=FooBar" you need the serialNumber that FooBar assigned. That's just the way it is. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
