Rob Stradling <rob=40sectigo....@dmarc.ietf.org> wrote:
>> > Is it required that a CA's Subject DN must be globally unique? No.
>>
>> RFC 5280, section 4.1.2.2: "It [the serial number] MUST be unique for
>> each certificate issued by a given CA (i.e., the issuer name and
>> serial number identify a unique certificate)."
> Ah, so a CA's Subject DN does have to be globally unique then! So if
No, it does not. It does not even need to be unique within the CA.
And if you think about it, if someone wants a new certificate before the old
one expires, one needs exactly that. IssuerDN+(certificate)SerialNumber is
unique, nothing else.
This is why have have the certificate transparency situation, and
https://www.csoonline.com/article/548734/hacking-the-real-security-issue-behind-the-comodo-hack.html
https://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/
And why we now have the CAA RR in DNS.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
