ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Inclusion of the issuer and serial number in authenticated in formation

1998-03-18 10:45:05
from [Marc Branchaud] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----

Content-Type: text/plain; charset=us-ascii


Denis Pinkas <Denis(_dot_)Pinkas(_at_)bull(_dot_)net> scrawled:


Ambarish Malpani has been proposing the following:

==================================================


Here is something that I have proposed in the past to help
identify a cert uniquely, that might work for you:


CertID                  ::=     SEQUENCE {
        issuerNameAndKeyHash            Hash,
        serialNumber                    CertificateSerialNumber,
}

IssuerNameAndKey                ::=     SEQUENCE {
        issuer                          Name,
        issuerPublicKey                 SubjectPublicKeyInfo
}

i.e. you identify a cert by the hash of the IssuerNameAndKey
and a serial number.

The hash includes the public key of the issuer - this prevents the
Banana Republic CA from impersonating our well beloved and well
trusted US CA ;-).

==================================================

This is not the right solution since the hash is not usable to point to
the certificate, but only there to make sure that the right certificate
is being selected.

Instead we should have something like:

CertUID ::=     SEQUENCE {
       issuerAndserialNumber   IssuerAndserialNumber,
       certificateHash         CertHash,
}

The certUID is the Certificate Unique Identifier.

The advantage is that other links do not need to be explored, nor
indicated. So my preference would be to fix the start point, as you
suggested.

Denis



I'm late to this thread and new to the list, so my apologies if the 
following isn't germane or a new idea.

I believe the PKCS#7 IssuerAndSerialNumber type is an inadequate certificate 
identifier now that we have IssuerAlternativeName extensions.

The type should be redefined to something like:

IssuerAndSerialNumber ::= SEQUENCE {
     issuerDN          Name,
     issuerAltName     IssuerAltName OPTIONAL,  -- As defined in PKIX
     serial            CertificateSerialNumber
}

This would make it acceptable for certificates from DN-less CAs.

                Marc

+------------------------------------------------------------------------+
 Marc Branchaud                                  \/
 Chief PKI Architect                             /\CERT INTERNATIONAL INC.
 marcnarc(_at_)xcert(_dot_)com        PKI References page:              
www.xcert.com
 604-640-6227          www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+
  PGP key fingerprint:  60 11 4B 9D 4E E5 2F 47  BD C5 C2 BF 26 DF 5A E1



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBNRAHpFrdFXNdDxPlAQF28AL+OxtHLgF8xo2fXFWePff+P0sjdBjGByHj
Cwb4Q3CTjQ5yt4UeEH7ENEp7SIffnIdMx5bUm5tP5Inx+GboRYgxMeofQ4dtfA7/
wkiNphYKC47faLhv6z3OSzBsfI12HeIU
=Xi8W
-----END PGP SIGNATURE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Key pair generation in MSG, EKR
Next by Date:  Re: Inclusion of the issuer and serial number in authenticated in formation, Andrew Farrell
Previous by Thread:  Re: Inclusion of the issuer and serial number in authenticated in formation, Denis Pinkas
Next by Thread:  Re: Inclusion of the issuer and serial number in authenticated in formation, Andrew Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]