In message <[EMAIL PROTECTED]> on Wed, 05 Mar 2008 10:07:18 -0500, "Brian A.
Seklecki" <[EMAIL PROTECTED]> said:
lavalamp> Architecture question:
lavalamp>
lavalamp> Do certificate serial numbers within a multi-trier
lavalamp> certificate authority chain need be globally unique?
Depends on what you mean with "globally".
If you mean world-wide, then no. The sheer thought is ludicrous.
If you mean "signed by the same CA" then yes. Certificates are
uniquely identified with the couple <issuing DN, serial>.
lavalamp> A Thunderbird user recently received the following error
lavalamp> because his cert serial number, as signed by one CA, matched
lavalamp> the serial number of the server, both of which were signed
lavalamp> by CA signing certs signed by a master CA
OK, hold on, that wasn't quite clear. Which one of the following
structures are you describing?
MCA
/ \
CA1 CA2
| |
SC UC
or
MCA
|
CA
/ \
SC UC
( MCA = Master CA; CA, CA1, CA2 = sub-CAs; SC = Server Cert; UC = User Cert)
lavalamp> "Your certificate contains the same serial number as another
lavalamp> certificate issued by the certificate authority. Please get
lavalamp> a new certificate containing a unique serial number"
This indicates that both the SC and UC were given the same serial
number and were signed by the same CA (scenario 2 above).
Cheers,
Richard
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
