On Wed, 5 Mar 2008, Richard Levitte wrote:
>
> lavalamp> Architecture question:
> lavalamp>
> lavalamp> Do certificate serial numbers within a multi-trier
> lavalamp> certificate authority chain need be globally unique?
>
> Depends on what you mean with "globally".
> If you mean world-wide, then no. The sheer thought is ludicrous.
> If you mean "signed by the same CA" then yes. Certificates are
> uniquely identified with the couple <issuing DN, serial>.
>
> lavalamp> A Thunderbird user recently received the following error
> lavalamp> because his cert serial number, as signed by one CA, matched
> lavalamp> the serial number of the server, both of which were signed
> lavalamp> by CA signing certs signed by a master CA
>
> OK, hold on, that wasn't quite clear. Which one of the following
Richard:
The way its layed out is:
RCA (Root CA)
/\
|' '|
(CA0) (CA1)
/ \
|' '|
(Users) (Servers)
The root CA has a certain set of serial numbers for subordinate
signing-only CA Certs (0->9):
CA0 = User Cert Signing
CA1 = Server Cert Signing
CA2 = Network Devices
CA3 = Revocation List Signing
CA4 = Software
CA5 = etc...
Then each subordinate CA has a unique set of serials for each cert it
signs.
In this case, the User Cert IMAP/SMTP client probably had the same serial
number as the either:
- The Root CA's serial for CA0 or CA1
- The Server Cert's server cert.
I honestly can't recall which, at this point, but it is still perturbing,
since the issuing DA and the cert serial combo would be unique in all
circumstances.
~BAS
> structures are you describing?
>
> MCA
> / \
> CA1 CA2
> | |
> SC UC
>
> or
>
> MCA
> |
> CA
> / \
> SC UC
>
> ( MCA = Master CA; CA, CA1, CA2 = sub-CAs; SC = Server Cert; UC = User Cert)
>
> lavalamp> "Your certificate contains the same serial number as another
> lavalamp> certificate issued by the certificate authority. Please get
> lavalamp> a new certificate containing a unique serial number"
>
> This indicates that both the SC and UC were given the same serial
> number and were signed by the same CA (scenario 2 above).
>
> Cheers,
> Richard
>
> --
> Richard Levitte rich...@levitte.org
> http://richard.levitte.org/
>
> "When I became a man I put away childish things, including
> the fear of childishness and the desire to be very grown up."
> -- C.S. Lewis
>
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Show me a young conservative and I'll show you someone with no heart.
Show me an old liberal and I'll show you someone with no brains."
~ Winston Churchill
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
