On Wed, May 17, 2006, Phil Dibowitz wrote: > Dr. Stephen Henson wrote: > > > The reason for the random nature is so that OpenSSL by default makes it > > very > > unlikely to duplicate issuer names and serial numbers, which is a standard > > violation and can cause peculiar hard to trace errors in common web > > browsers. > > That can be very confusing for beginners. > > Wait - just to make sure I understand this... the concern is there might > be another CA with the same DN out there, and thus we don't want to > start with the same serial numbers as them? >
No a newbie would create a CA, install it in a browser (or several browsers) issue some certificates etc. They would then decide they didn't like the expiry date or something else associated with it and then create a second CA entering exactly the same details as before. The two would look identical and certificates issued by the two CA could get duplicate serial numbers all over the place. So the default is to do something "safe". If someone knows what they are doing they can use different serial numbers and low values if they wish. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]