Ludovic Rousseau wrote: > >> > The serialNumber is the equivalent of UUID for a person and > >> > does not change. > >> > >> Is the serialNumber unique for one CA only or for all the CAs? > >> Or is it possible to have the same serialNumber issued by two > >> different CAs? > > It's unique for the CA but can be transferred to another CA. > > So you can have two certificates from two different CAs having the > same serialNumber. > That could be an easy attack to impersonate you if both CAs are valid > for pam_pkcs11.
The way I understood this is that the same serialNumber will always only be in certificates that are issued to the same actual person. Whatever the Swiss use for legal person ID would presumably be checked by the CAs, and the serialNumber used as some reference. It seems to me like a nice solution. But I could also just have misunderstood it. :) //Peter _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
