On Wed, 5 Mar 2008, Richard Levitte wrote: > > lavalamp> Architecture question: > lavalamp> > lavalamp> Do certificate serial numbers within a multi-trier > lavalamp> certificate authority chain need be globally unique? > > Depends on what you mean with "globally". > If you mean world-wide, then no. The sheer thought is ludicrous. > If you mean "signed by the same CA" then yes. Certificates are > uniquely identified with the couple <issuing DN, serial>. > > lavalamp> A Thunderbird user recently received the following error > lavalamp> because his cert serial number, as signed by one CA, matched > lavalamp> the serial number of the server, both of which were signed > lavalamp> by CA signing certs signed by a master CA > > OK, hold on, that wasn't quite clear. Which one of the following
Richard: The way its layed out is: RCA (Root CA) /\ |' '| (CA0) (CA1) / \ |' '| (Users) (Servers) The root CA has a certain set of serial numbers for subordinate signing-only CA Certs (0->9): CA0 = User Cert Signing CA1 = Server Cert Signing CA2 = Network Devices CA3 = Revocation List Signing CA4 = Software CA5 = etc... Then each subordinate CA has a unique set of serials for each cert it signs. In this case, the User Cert IMAP/SMTP client probably had the same serial number as the either: - The Root CA's serial for CA0 or CA1 - The Server Cert's server cert. I honestly can't recall which, at this point, but it is still perturbing, since the issuing DA and the cert serial combo would be unique in all circumstances. ~BAS > structures are you describing? > > MCA > / \ > CA1 CA2 > | | > SC UC > > or > > MCA > | > CA > / \ > SC UC > > ( MCA = Master CA; CA, CA1, CA2 = sub-CAs; SC = Server Cert; UC = User Cert) > > lavalamp> "Your certificate contains the same serial number as another > lavalamp> certificate issued by the certificate authority. Please get > lavalamp> a new certificate containing a unique serial number" > > This indicates that both the SC and UC were given the same serial > number and were signed by the same CA (scenario 2 above). > > Cheers, > Richard > > -- > Richard Levitte rich...@levitte.org > http://richard.levitte.org/ > > "When I became a man I put away childish things, including > the fear of childishness and the desire to be very grown up." > -- C.S. Lewis > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Show me a young conservative and I'll show you someone with no heart. Show me an old liberal and I'll show you someone with no brains." ~ Winston Churchill ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org