Amplifying on my previous reply...
Anders Rundgren wrote:
> Serial number + Issuer MUST indeed be unique within a CA.
That is, the field of the certificate, whose field name is "issuer",
which is the issuer's DN, together with the serial number, must be unique.
> Therefore the following was interpreted as incorrect:
>
> Issuer: Root
> Serial: 1
> Subject: Root
>
> Issuer: Root
> Serial: 1
> Subject: Sub
>
> But you must apply path building before enforcing the serial-issuer rule.
No, the requirement is for uniqueness of the pair (issuer NAME, serial number).
The above example shows two clearly different certs with the same issuer NAME
and serial numbers.
Here is part of RFC 3280's definition of a certificate:
> TBSCertificate ::= SEQUENCE {
> version [0] EXPLICIT Version DEFAULT v1,
> serialNumber CertificateSerialNumber,
> signature AlgorithmIdentifier,
> issuer Name,
> validity Validity,
> subject Name,
Notice the fields named "serialNumber" and "issuer". It is the combination
of those two fields that must be unique.
> 4.1.2.2 Serial number
>
> The serial number MUST be a positive integer assigned by the CA to
> each certificate. It MUST be unique for each certificate issued by a
> given CA (i.e., the issuer name and serial number identify a unique
> certificate).
Notice it says "issuer name".
--
Nelson B
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
