> > Ah, so a CA's Subject DN does have to be globally unique then! So if
>
> No, it does not. It does not even need to be unique within the CA.
> And if you think about it, if someone wants a new certificate before the old
> one expires, one needs exactly that. IssuerDN+(certificate)SerialNumber is
> unique, nothing else.
I think we're in violent agreement. The CA's Subject DN is the IssuerDN in
the certs issued by that CA.
________________________________
From: Acme <acme-boun...@ietf.org> on behalf of Michael Richardson
<mcr+i...@sandelman.ca>
Sent: 29 July 2023 18:32
To: acme@ietf.org <acme@ietf.org>
Subject: Re: [Acme] Practical concerns of draft-ietf-acme-ari
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe.
Rob Stradling <rob=40sectigo....@dmarc.ietf.org> wrote:
>> > Is it required that a CA's Subject DN must be globally unique? No.
>>
>> RFC 5280, section 4.1.2.2: "It [the serial number] MUST be unique for
>> each certificate issued by a given CA (i.e., the issuer name and
>> serial number identify a unique certificate)."
> Ah, so a CA's Subject DN does have to be globally unique then! So if
No, it does not. It does not even need to be unique within the CA.
And if you think about it, if someone wants a new certificate before the old
one expires, one needs exactly that. IssuerDN+(certificate)SerialNumber is
unique, nothing else.
This is why have have the certificate transparency situation, and
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.csoonline.com%2Farticle%2F548734%2Fhacking-the-real-security-issue-behind-the-comodo-hack.html&data=05%7C01%7Crob%40sectigo.com%7C353e0a33a5404d76920d08db906e2fee%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638263936424889341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pdgVMNX97iq7KUKrMJSK1orK6uFTi8aIJruPzQsTj%2FI%3D&reserved=0<https://www.csoonline.com/article/548734/hacking-the-real-security-issue-behind-the-comodo-hack.html>
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2011%2F03%2F24%2Ffraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust%2F&data=05%7C01%7Crob%40sectigo.com%7C353e0a33a5404d76920d08db906e2fee%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638263936424889341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r8oTK9kPM7%2B0%2Fq5uOnref%2B2sQFIlPuxXend18HmqMrU%3D&reserved=0<https://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/>
And why we now have the CAA RR in DNS.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
