On Tue, Dec 07, 2004, Takurou Saitou wrote: > Hi, > > I have a question about "Reduce the chances of duplicate > issuer name and serial numbers (inch violation of RFC3280) > using the OpenSSL certificate creation utilities." described > by "Changes between 0.9.7d and 0.9.7e." . > > I understand that the chance of the duplicate of a serial number > is reduced by making an initial serial number into a random 64-bit > numerical value. However, it is in the state which the basis of > leading to the management reducing the chance of the duplicate of a > issuer name cannot understand to me. > > Would anyone explain a little in detail for me? >
There's a requirement in various standards that issuer name and serial number is unique, some software produces errors if distinct certificates have the same issuer name and serial number. Before this change the creation of a root CA would use serial number 0 (which a clarification in one of the standards has ruled illegal anyway) the first issued certificate would use 1, the next 2 and so on. If someone entered exactly the same details into the root CA creation process twice and redistributed them the root CA and all issued certificates would be duplicates. Various newbies were doing this and getting hard to trace problems much later: sometimes after deploying several certificates. The use of random initial serial numbers makes this situation much more unlikely. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
