> > Ah, so a CA's Subject DN does have to be globally unique then! So if > > No, it does not. It does not even need to be unique within the CA. > And if you think about it, if someone wants a new certificate before the old > one expires, one needs exactly that. IssuerDN+(certificate)SerialNumber is > unique, nothing else.
I think we're in violent agreement. The CA's Subject DN is the IssuerDN in the certs issued by that CA. ________________________________ From: Acme <acme-boun...@ietf.org> on behalf of Michael Richardson <mcr+i...@sandelman.ca> Sent: 29 July 2023 18:32 To: acme@ietf.org <acme@ietf.org> Subject: Re: [Acme] Practical concerns of draft-ietf-acme-ari CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Rob Stradling <rob=40sectigo....@dmarc.ietf.org> wrote: >> > Is it required that a CA's Subject DN must be globally unique? No. >> >> RFC 5280, section 4.1.2.2: "It [the serial number] MUST be unique for >> each certificate issued by a given CA (i.e., the issuer name and >> serial number identify a unique certificate)." > Ah, so a CA's Subject DN does have to be globally unique then! So if No, it does not. It does not even need to be unique within the CA. And if you think about it, if someone wants a new certificate before the old one expires, one needs exactly that. IssuerDN+(certificate)SerialNumber is unique, nothing else. This is why have have the certificate transparency situation, and https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.csoonline.com%2Farticle%2F548734%2Fhacking-the-real-security-issue-behind-the-comodo-hack.html&data=05%7C01%7Crob%40sectigo.com%7C353e0a33a5404d76920d08db906e2fee%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638263936424889341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pdgVMNX97iq7KUKrMJSK1orK6uFTi8aIJruPzQsTj%2FI%3D&reserved=0<https://www.csoonline.com/article/548734/hacking-the-real-security-issue-behind-the-comodo-hack.html> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnakedsecurity.sophos.com%2F2011%2F03%2F24%2Ffraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust%2F&data=05%7C01%7Crob%40sectigo.com%7C353e0a33a5404d76920d08db906e2fee%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638263936424889341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r8oTK9kPM7%2B0%2Fq5uOnref%2B2sQFIlPuxXend18HmqMrU%3D&reserved=0<https://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/> And why we now have the CAA RR in DNS. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme