On Tue, Nov 23, 2004, Jason Haar wrote: > > Cisco did a real good job with their PKI support in the VPN-3000 series > - I wish I could say the same for IOS (our CA has a serial number of > "0", and IOS refuses to trust a CA with a serial <1. Strange - I always > thought 0 was an integer as required by the SSL RFCs... :-() >
The RFCs were a bit ambiguous on that score. Various people have said since that 0 shouldn't be used as a serial number so OpenSSL doesn't do this by default in the very latest versions (it uses a random 64 bit serial number instead). Various public CAs have zero as a serial number: some of the Thawte ones for example. However that's just the rules for generating serial numbers. As is usual the criteria for acceptance are more general. For example in RFC3280 4.1.2.2: >Non-conforming CAs may issue certificates with serial numbers >that are negative, or zero. Certificate users SHOULD be prepared to >gracefully handle such certificates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
