Richard, as far as I read the text from the RFC, they are talkin about non-negative numbers. So the range is from 0 to 2^(159)-1 because the one bit missing indicates a negative number.
Best regards Thomas Beckmann > -----Ursprüngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Auftrag von Richard Levitte > Gesendet: Montag, 18. Juli 2005 15:42 > An: openssl-users@openssl.org > Cc: Jorey Bump > Betreff: Re: Max length of serial number > > > Jorey Bump writes: > > > And RFC 3280 has this to say: > > > > 4.1.2.2 Serial number > > > > The serial number MUST be a positive integer assigned by > the CA to > > each certificate. It MUST be unique for each > certificate issued by a > > given CA (i.e., the issuer name and serial number > identify a unique > > certificate). CAs MUST force the serialNumber to be a > non-negative > > integer. > > > > Given the uniqueness requirements above, serial numbers can be > > expected to contain long integers. Certificate users > MUST be able to > > handle serialNumber values up to 20 octets. Conformant > CAs MUST NOT > > use serialNumber values longer than 20 octets. > > > > Note: Non-conforming CAs may issue certificates with > serial numbers > > that are negative, or zero. Certificate users SHOULD be > prepared to > > gracefully handle such certificates. > > > > I guess this limits serial numbers to 20 numeric characters, > > You do realise, don't you, that 20 octets isn't the same as > 20 numeric > characters? > > This means that your serial number span is 0 to 2^(8*20)-1, > which is 2^160 > different value. That's enough to give every atom in the > known universe a > few certs each. I bet that's enough for your purposes :-). > > Cheers, > Richard > > ----- > Please consider sponsoring my work on free software. > See http://www.free.lp.se/sponsoring.html for details. > > -- > Richard Levitte [EMAIL PROTECTED] > http://richard.levitte.org/ > > "When I became a man I put away childish things, including > the fear of childishness and the desire to be very grown up." > -- C.S. Lewis > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
