Russ,
The issuer and serial number in a CRL is making a negitive statement ("Any
certificate which you find with this issuer and serial number is not good.")
while this is trying to make a positive statement ("This is the one true
certificate.") The quality of the statements differ as one is making the
general statement about all certificates with a given issuer/serial number
and the other is trying to identify from a possible set of certificates with
the same issuer/serial number the correct certificate.
jim
-----Original Message-----
From: Russ Housley [mailto:housley(_at_)spyrus(_dot_)com]
Sent: Thursday, May 14, 1998 9:10 AM
To: shenson(_at_)bigfoot(_dot_)com
Cc: ietf-smime(_at_)imc(_dot_)org
Subject: Re: SigningCertificate and IssuerAndSerialNumber.
If IssuerAndSerialNumber is sufficient for specifying a cerrtificate in a
CRL, then what makes it insufficient here?
Russ
At 03:30 AM 5/14/98 +0100, Dr Stephen Henson wrote:
While I feel that the principle of the specification is good I have to
admit that I have been swayed by the argument in favour of using
something other than IssuerAndSerialNumber to bind the signers
certificate.
One reason is that as things stand use of the signing certificate
attribute makes the "outer" issuerAndSerialNumber redundant. I feel that
something that complemented the outer issuerAndSerialNumber rather than
duplicated it would be preferable.
B. Open Issues
Some people have expressed a desire to solve the "Reissue
of Certificate" attack. I see no pressing need to address
this attack. Any certificate authority that allowed for
this attack is operating in an improper fashion and should
not be used. In the event that the attack is deemed to be
of importance, it could be solved by the addition of a
hash to the SigningCertificate ASN structure. This would
allow the relying entity to verify that the certificate
was exactly the same as the signing entity claimed to have
used.
I would respectfully suggest that if the SigningCertificate structure
contained a hash of the signers certificate (or some equivalent) the
IssuerAndSerialNumber structure would be redundant.
This prompts the question: why not make the SigningCertificate structure
consist wholly of the hash?
In addition the hash is likely to be more compact than the
issuerAndSerial number structure.
I agree that there is no pressing need to address the other attacks (a
rogue CA could do much nastier things invisibly) but if they can be
addressed (in addition to the original "Substitution Attack") this is no
bad thing IMHO.
Steve.
--
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant. For info see homepage.
Homepage: http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)bigfoot(_dot_)com
PGP key: via homepage.