I do not see the value in the certificate hash. However, if many people
think it is desirable, then it should be optional. We must trust CAs to
never issue more than one certificate with the same serial number.
Revocation will be all messed up if they do....
Russ
At 05:28 PM 3/20/98 -0800, Denis Pinkas wrote:
There is no final position yet, but it seems that we are going towards
the following structure:
CertUID ::= SEQUENCE {
issuerDN Name,
issuerAltName IssuerAltName OPTIONAL, -- As defined in PKIX
serial CertificateSerialNumber,
certificateHash CertHash
}
This allows the support of alternate names and the certificate hash
allows to make the difference between certificates that would be issued
by CAs having the same name.
In any case, I would recommend that the pkix group and the smime group
adopt the same structure.
Denis
--
Denis Pinkas Bull S.A.
mailto:Denis(_dot_)Pinkas(_at_)bull(_dot_)net
Rue Jean Jaures B.P. 68 Phone : 33 - 1 30 80 34 87
78340 Les Clayes sous Bois. FRANCE Fax : 33 - 1 30 80 33 21