> > Is it required that a CA's Subject DN must be globally unique? No. > > RFC 5280, section 4.1.2.2: > "It [the serial number] MUST be unique for each certificate issued by a > given CA (i.e., the issuer name and serial number identify a unique > certificate)."
Ah, so a CA's Subject DN does have to be globally unique then! So if multiple independent "CAs" happen to share the same DN but have different keypairs, RFC5280 expects serial number uniqueness across the combined set of certificates issued by those independent "CAs". > And a question: Is there anything in PKIX that bans two issuers with > the same key but different name (that has happened) from issuing a > certificate with the same serial number? Not that I'm aware of. If such a ban existed, I would expect to see it expressed in RFC 5280 section 4.1.2.2. ________________________________ From: Acme <[email protected]> on behalf of Ilari Liusvaara <[email protected]> Sent: 26 July 2023 20:20 To: [email protected] <[email protected]> Subject: Re: [Acme] Practical concerns of draft-ietf-acme-ari CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Wed, Jul 26, 2023 at 03:56:12PM +0000, Rob Stradling wrote: > Is it required that a CA's Subject DN must be globally unique? No. RFC 5280, section 4.1.2.2: "It [the serial number] MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate)." And a question: Is there anything in PKIX that bans two issuers with the same key but different name (that has happened) from issuing a certificate with the same serial number? I checked baseline requirements, I did not see anoything banning that (albeit the entropy requirements make it unlikely). -Ilari _______________________________________________ Acme mailing list [email protected] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Facme&data=05%7C01%7Crob%40sectigo.com%7Caf13966ed697474a427908db8e0d5838%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638259960216266498%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xO2oygJJk2A3WffYOuQUBXCHd1VoIRma0JTZ3yScgHU%3D&reserved=0<https://www.ietf.org/mailman/listinfo/acme>
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
