Rob Stradling <[email protected]> wrote: >> > Ah, so a CA's Subject DN does have to be globally unique then! So >> if >> >> No, it does not. It does not even need to be unique within the CA. >> And if you think about it, if someone wants a new certificate before >> the old one expires, one needs exactly that. >> IssuerDN+(certificate)SerialNumber is unique, nothing else.
> I think we're in violent agreement. The CA's Subject DN is the
> IssuerDN in the certs issued by that CA.
Ah! I misread. I see "CA's Subject DN" you are referring to the CA's signing
certificate, which I do agree is the IssuerDN. But it's a confusing to talk
about it that way in my opinion.
Once a CA's certificate is in a trust store, nobody looks at anything other
than the public key.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
