Bonjour, Hodie IV Kal. Mar. MMVI est, Kyle Hamilton scripsit: [...] > Can you give me a pointer to the several standards that reflect and > enforce the issuer name + serial number uniqueness? A more
The X.509 says it all. >From this standard, a CA is a name (not a key, really a name). That allows you to renew the CA's key (and certificate), and this key+certificate still belongs to the same CA. Whence, you can revoke an issued certificate that was signed by an anterior CA key. This (issuer name, serial number) uniqueness is clearly stated in chapter 7 ("Public-keys and public-key certificates"): "serialNumber is an integer assigned by the CA to each certificate. The value of serialNumber must be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate)." -- Erwann ABALEA <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]