Stephen Henson via RT wrote: >One would be the perl front end CA.pl > Patch attached
>Another would be if non-standard scripts initialize the serial number >file either for 'ca' or the 'x509' utility. > > My original patch fixed the -CAcreateserial switch. Not much we can do about scripts not shipped with OpenSSL, but most folk seem to be using the standard apps. >With regard to 0 being a non conforming serial number. RFC3280 in >4.1.2.2 says serialNumber must be positive (which would exclude 0) and >in the next sentence non-negative (which wouldn't). > > The second sentence doesn't contradict the first one, it just fails to (redundantly) require CAs to not generate that one particular nonconforming value. The last paragraph also implies that zero serial numbers are nonconforming. But the problem with 0 is not so much its nonconformance but the fact that as a default it (or any other fixed integer) has a good chance at failing the uniqueness requirement. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
