Bruno Costacurta schrieb:
[...]- serial information within the certificate is uselessIf you are still talking of only the serial number you are correct. But if you also know the issuing CA you can uniquely identify the certificate. A CRL (Certificate Revocation List) for example works by publishing the serial numbers which have been revoked by a CA and OCSP also tells you the status of a certificate if you only tell the (CA specific) responder the serial number.As far as I understand, the serial information within the certificate is only useful as a reference for the CA. This reference can be used by the CA to revoke the certificate. Is this correct ?
Yes.
Is there other action that can be made by the CA on a specific certificate (ie. renew, some metadata changes...) ?The CA may keep a database, indexed by the serial number, containing some information about the certificate (OpenSSL's CA command does this in the form of the index-file). So like you said the serial can help the CA to find metadata about a certificate, probably including the certificate itself (like in the OpenSSL CA). If the metadata contain the CSR (OpenSSL CA index does not) it would be possible to re-issue a certificate, possibly with modified metadata.
Thanks, Bruno
Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
