Bear Giles wrote: > > Of course, this opens the whole can-o-worms of "what constitutes > a duplicate cert?" Is it an exact match, or matching I+SN, or > some other criteria? >
There are some cases where only an exact match is acceptable. An example is how OpenSSL performs a verify operation on a single self-signed certificate. It looks up the certificate from the trusted certificate store and trusts it *only* if the certificate precisely matches the one from the store: this is done by comparing the hashes of the whole certificate. If it only did an I+SN match then an attacker could readily generate a self-signed certificate using its own key with matching I+SN. If an when OpenSSL verify permist trust explicit trust of an EE certificate without trusting the chain a similar criteria will need to be applied. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
