-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MEYxCzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUcnV
zdGVkIEluZm9ybWF0aW9uIFN5c3RlbXMxETAPBgNVBAsTCEdsZW53b29k,02
MIC-Info: RSA-MD5,RSA,ZZE8Bu+VrtwBqOWnqZVkFo4vNImT1wpPCX/3Ot0nev7
N1Pobp//v9u9EGsEa5NGFxFXP63+cEINmJAhfgy4LZQ==
Since a person's public key is guaranteed unique (or there's a
serious flaw in the key generation algorithm), I fail to see why
the DN portion of the [DN,key] pair needs to be unique.
There is absolutely nothing that suggests let only guarantees that a
public key is unique. In fact, it is widely known (I know I've
mentioned it a few times in very public places) that it is entirely
reasonable to expect that an individual could collect as many
certificates as possible and generate as many public/private key pairs
as possible and look for matches.
If you further consider that a majority of the community will be using
the same software, you begin to wonder what the likelihood of a match
is. Now, I'm no mathematician, so maybe the point is moot, but has
anyone given any serious thought to this issue?
The quality of the unpredictable (I purposely avoided random) value used
to initiate generation of a public/private key pair is paramount, but
not sufficient to prevent duplicates. After all, there is nothing to
prevent two independent machines from independently generating for use
the same unpredictable start value!
Jim
PS. I note for completeness this issue is not specific to PEM. It
applies equally validly to any public key application.
- ------------------------------------------------------------------------
This message digitally signed with Privacy Enhanced Mail. Get your copy
of the Internet reference implementation from "pem-info(_at_)tis(_dot_)com".
-----END PRIVACY-ENHANCED MESSAGE-----