Dr. Stephen Henson wrote: > On Wed, May 17, 2006, Phil Dibowitz wrote: > >> >> "CA.pl -newca" takes a random 64-bit number for the serial number of the >> CA, and then auto-incriments that for all of the certs it signs. >> >> Why random? Why not start at 64-bits of 0s? Is there some benefit here? >> > > The serial number is an integer. 64 bits of 0s is 0 which is an illegal > serial number.
OK, fine, 63 bits of 0's and a 1. =P > The reason for the random nature is so that OpenSSL by default makes it > very > unlikely to duplicate issuer names and serial numbers, which is a standard > violation and can cause peculiar hard to trace errors in common web > browsers. > That can be very confusing for beginners. Wait - just to make sure I understand this... the concern is there might be another CA with the same DN out there, and thus we don't want to start with the same serial numbers as them? Thanks, -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com
signature.asc
Description: OpenPGP digital signature
