-----BEGIN PGP SIGNED MESSAGE-----
Content-Type: text/plain; charset=us-ascii
Denis Pinkas <Denis(_dot_)Pinkas(_at_)bull(_dot_)net> scrawled:
Ambarish Malpani has been proposing the following:
==================================================
Here is something that I have proposed in the past to help
identify a cert uniquely, that might work for you:
CertID ::= SEQUENCE {
issuerNameAndKeyHash Hash,
serialNumber CertificateSerialNumber,
}
IssuerNameAndKey ::= SEQUENCE {
issuer Name,
issuerPublicKey SubjectPublicKeyInfo
}
i.e. you identify a cert by the hash of the IssuerNameAndKey
and a serial number.
The hash includes the public key of the issuer - this prevents the
Banana Republic CA from impersonating our well beloved and well
trusted US CA ;-).
==================================================
This is not the right solution since the hash is not usable to point to
the certificate, but only there to make sure that the right certificate
is being selected.
Instead we should have something like:
CertUID ::= SEQUENCE {
issuerAndserialNumber IssuerAndserialNumber,
certificateHash CertHash,
}
The certUID is the Certificate Unique Identifier.
The advantage is that other links do not need to be explored, nor
indicated. So my preference would be to fix the start point, as you
suggested.
Denis
I'm late to this thread and new to the list, so my apologies if the
following isn't germane or a new idea.
I believe the PKCS#7 IssuerAndSerialNumber type is an inadequate certificate
identifier now that we have IssuerAlternativeName extensions.
The type should be redefined to something like:
IssuerAndSerialNumber ::= SEQUENCE {
issuerDN Name,
issuerAltName IssuerAltName OPTIONAL, -- As defined in PKIX
serial CertificateSerialNumber
}
This would make it acceptable for certificates from DN-less CAs.
Marc
+------------------------------------------------------------------------+
Marc Branchaud \/
Chief PKI Architect /\CERT INTERNATIONAL INC.
marcnarc(_at_)xcert(_dot_)com PKI References page:
www.xcert.com
604-640-6227 www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+
PGP key fingerprint: 60 11 4B 9D 4E E5 2F 47 BD C5 C2 BF 26 DF 5A E1
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQB1AwUBNRAHpFrdFXNdDxPlAQF28AL+OxtHLgF8xo2fXFWePff+P0sjdBjGByHj
Cwb4Q3CTjQ5yt4UeEH7ENEp7SIffnIdMx5bUm5tP5Inx+GboRYgxMeofQ4dtfA7/
wkiNphYKC47faLhv6z3OSzBsfI12HeIU
=Xi8W
-----END PGP SIGNATURE-----