> > The serialNumber is the equivalent of UUID for a person and does not > > change. > > Is the serialNumber unique for one CA only or for all the CAs? > Or is it possible to have the same serialNumber issued by two different CAs? It's unique for the CA but can be transferred to another CA.
SuisseID specification describing the use of the serialNumber field can be found at: http://www.suisseid.ch/unternehmen/technik/index.html (page is in German; first link in the main window is to the spec in English) > > A person can have several SuisseID's issued to the him/her containing > > different email addresses and possibly associations to one/more > > different companies, issued by different CA's (even concurrently!). > > > > As long as it's the same individual the serialNumber remains the same. > > > > Also: There already is a second certificate (certificate #5) on the > > token (only used for qualified signatures right now) that shows the > > deal: > > -> Different CA, Different CN, same serialNumber > > I guess the two certificates have two different private keys. Yes. > How pam_pkcs11 is supposed to know which public key to use if you only > give it the serialNumber matching two certificates? The public key is part of the certificate, so once the wanted certificate is found pam_pkcs11 should use the public key of that certificate. Doesn't it already work that way? > pam_pkcs11 will just use the first certificate it finds that match the > serialNumber? That is what I would expect - matching usually works this way. If access to the second certificate was required the pattern could be modified to only match the second certificate, e.g. ^.*Signature)/.*/serialNumber=xxxx-xxxx-xxxx-xxxx$ > > Of course I could list (and maintain) each possibility on each machine, > Yes, you could :-) ... but having pattern matches would still be the nicer/more generic solution ;-) BTW: I've also opened up a bug report (#239) because I cannot get pam_pkcs11 to continue past the first certificate - this is a prerequisite for pattern matching to work at all and also necessary for me to continue exploring. Is this a feature or a bug? Do you want me to try and fix it? -- Just when you discovered the meaning of life IT changed. _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
