Bonjour,
Hodie pr. Kal. Mar. MMVI est, Mark H. Wood scripsit:
> I think that part of the difficulty here is the words used. Our
> experience in other areas is overwhelmingly in favor of "serial number"
> being a sample from a counter that starts at 0 or 1 and is incremented by
> 1 every time it's
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think that part of the difficulty here is the words used. Our
experience in other areas is overwhelmingly in favor of "serial number"
being a sample from a counter that starts at 0 or 1 and is incremented by
1 every time it's consulted. So we see a
On Sun, Feb 26, 2006, Dr. Stephen Henson wrote:
> On Sun, Feb 26, 2006, Erwann ABALEA wrote:
>
> > The CA has the possibility to change the name of the issued
> > certificate, by adding a random element (a kind of serial number), but
> > this isn't usually well percieved (the customer always asks
On Sun, Feb 26, 2006, Erwann ABALEA wrote:
> Bonjour,
>
> Hodie IV Kal. Mar. MMVI est, Dr. Stephen Henson scripsit:
> [... about serial numbers ...]
> > Some CAs choose consecutive values, other what look like random values of
> > hashes.
> >
> > One commercial reason for not using consecutive v
Bonjour,
Hodie IV Kal. Mar. MMVI est, Dr. Stephen Henson scripsit:
[... about serial numbers ...]
> Some CAs choose consecutive values, other what look like random values of
> hashes.
>
> One commercial reason for not using consecutive values is that competitors can
> work out how many certificat
On So, 26 Feb 2006, Dr. Stephen Henson wrote:
[example snipped]
> The fairly large random value for serial numbers is designed to avoid that
> situation but still allow the more knowledgeable user to override that.
>
> If you are sure the issuer name and serial number will be unique then you can
Bonjour,
Hodie IV Kal. Mar. MMVI est, Kyle Hamilton scripsit:
[...]
> Can you give me a pointer to the several standards that reflect and
> enforce the issuer name + serial number uniqueness? A more
The X.509 says it all.
>From this standard, a CA is a name (not a key, really a name). That
allo
On Sun, Feb 26, 2006, Georg Lohrer wrote:
>
> As I have hopefully understood setting the serial number of a CA to a
> distinct number like 1 is good practice. From a technical point of view any
> number should as good as another as long as they are unique (as you mentioned
> in your post to Kyle)
On Sun, Feb 26, 2006, Kyle Hamilton wrote:
> On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
>
> >
> > It is the combination of issuer name + serial number which must be unique in
> > general: that's enforced by several standards.
> >
> > Certain pieces of software assumes that issuer n
On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Sat, Feb 25, 2006, Kyle Hamilton wrote:
>
> > "serialNumber: A unique positive integer." At least I think.
> >
>
> The type of serialNumber that should be accepted doesn't place any limits on
> the sign.
>
> RFC3280 places restrictions
> let's see... you're talking about the authorityKeyIdentifier? I
> thought that that went up 2 steps up the tree and then gave a serial
> number of cert issued by that CA.
No, it identifies the key that is signing the actual cert (or CRL). A CA's
subject key identifier (SKI) gets populated as t
On Sat, Feb 25, 2006, Kyle Hamilton wrote:
> On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> > It was introduced as a bug fix to stop OpenSSL producing invalid
> > certificates
> > under certain circumstances.
> >
> > A clarification indicated that zero was considered an invalid seria
On So, 26 Feb 2006, Dr. Stephen Henson wrote:
> On Sun, Feb 26, 2006, Georg Lohrer wrote:
>
> >
> > Even if I create an explicit serial-file it won't be used for the 'req'
> > command (tested with strace).
> >
> > Any ideas what I'm doing wrong? Or is the man-page wrong?
> >
>
> The manual pa
On 2/25/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> It was introduced as a bug fix to stop OpenSSL producing invalid certificates
> under certain circumstances.
>
> A clarification indicated that zero was considered an invalid serial number.
"serialNumber: A unique positive integer." At l
On Sat, Feb 25, 2006, Kyle Hamilton wrote:
> Is there a way to specify the old behavior? (I'm collecting as much
> information as I can on current practice and putting it all together
> -- the overloading of 'authorityKeyIdentifier' is only part of the
> problem with current X.509 practice, and t
Is there a way to specify the old behavior? (I'm collecting as much
information as I can on current practice and putting it all together
-- the overloading of 'authorityKeyIdentifier' is only part of the
problem with current X.509 practice, and that overloading creates a
situation where software m
On Sun, Feb 26, 2006, Georg Lohrer wrote:
>
> Even if I create an explicit serial-file it won't be used for the 'req'
> command (tested with strace).
>
> Any ideas what I'm doing wrong? Or is the man-page wrong?
>
The manual page needs updating. It now uses a random serial number unless a
seri
Hi,
if I use the command:
$ /usr/local/bin/openssl req -x509 -new -days 30 -key ./cacert.key -out
./cacert.pem -outform PEM
to create a self-signed root-certificate the 'man req' page says:
-x509 this option outputs a self signed certificate instead of a
certificate request. This is
18 matches
Mail list logo
