While the traditional definition of a digital certificate is taken to
be the "binding of a name to a public key", why would you issue certs
with duplicate serial numbers? Was this an oversight or a design
decision? If the latter, it would help the forum to understand the
business/technical requirements leading to such a decision. Thanks.
Arshad Noor
StrongAuth, Inc.
Michael Pratt wrote:
I'm cross posting this to crypto and ldap in the hopes nobody else will
waste months of effort on a simple issue :)
Those of you that frequent these boards have probably seen several posts
from me dating back to January regarding problems with client
authentication
and Sun directory server. We've been trying to set up our apps using
Mozilla Java and C APIs and have them authenticate with using SASL /
External. The problem was when multiple users would run at the same time,
one of them would fail to authenticate on the directory server and return
error "-12271: SSL peer cannot verify your certificate".
The problem was with the directory server (5.2 patch 4, Solaris 8) and how
it handles client certificates (or possibly in how we created the
certificates). Apparently if the same DS machine receives two certifcates
at the same time with the same serial number value, only one will be
succesfully processed and the other will return the error above. This was
pointed out to us by a Sun engineer, and it wasn't clear if this is a
bug in
the version or if this is how DS was intended to work. Regardless, once we
changed each user's cert to have a unique serial number the problem
dissapeared.
Mike
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
