Dr. Stephen Henson wrote:
> The two would look identical and certificates issued by the two CA could get
> duplicate serial numbers all over the place.
>
> So the default is to do something "safe". If someone knows what they are doing
> they can use different serial numbers and low values if they wish.
Sounds reasonable. I would have preferred a timestamp
as a serial number, because this kind of sequence really
can prevent doubles (while randomness only makes it
unlikely). But anyway: Whoever wants something different
can still choose to create the serial number in a way he
likes.
Regards, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
