Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs

2006-10-01 Thread Anders Rundgren
: "Mozilla Crypto" Sent: Friday, September 29, 2006 14:35 Subject: Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs The trust anchor (i.e., the root CA) authenticates itself, as well as the certificates it issues to other entities. A better diagram and

Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs

2006-09-29 Thread Kyle Hamilton
The trust anchor (i.e., the root CA) authenticates itself, as well as the certificates it issues to other entities. A better diagram and way of looking at it would be thus: anchor (.) <- trust level / \ root subca <- authentication level / \ subsubCA endentity It's

Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs

2006-09-28 Thread Anders Rundgren
Jean-Marc Desperrier wrote: >> [...]. That Root is actually signed by the >> same key and having the same issuer as Sub does not put it in the same level >> as Sub since Root is selfsigned. >I think you should rethink about the meaning of *self*-signed. I don't claim to be the world's biggest exp

Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs

2006-09-28 Thread Nelson B
Amplifying on my previous reply... Anders Rundgren wrote: > Serial number + Issuer MUST indeed be unique within a CA. That is, the field of the certificate, whose field name is "issuer", which is the issuer's DN, together with the serial number, must be unique. > Therefore the following was int

Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs

2006-09-28 Thread Jean-Marc Desperrier
Jean-Marc Desperrier wrote: Anders Rundgren wrote: [...]. That Root is actually signed by the same key and having the same issuer as Sub does not put it in the same level as Sub since Root is selfsigned. I think you should rethink about the meaning of *self*-signed. The issuer of Root *is* R

Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs

2006-09-28 Thread Jean-Marc Desperrier
Anders Rundgren wrote: [...]. That Root is actually signed by the same key and having the same issuer as Sub does not put it in the same level as Sub since Root is selfsigned. I think you should rethink about the meaning of *self*-signed. The issuer of Root *is* Root, so Root and Sub *do* shar

Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs

2006-09-27 Thread Nelson B
Anders Rundgren wrote: > Dear Kai, > I think I misunderstood your complaint a bit. > Apparently Bob and Nelson think I'm wrong as well. > > So here we go again... > > Serial number + Issuer MUST indeed be unique within a CA. The requirement is unique combination of (Issuer NAME, Serial Number).

CA serial number clarification. Re: Mozilla's use of AIA caIssuers URIs

2006-09-27 Thread Anders Rundgren
Dear Kai, I think I misunderstood your complaint a bit. Apparently Bob and Nelson think I'm wrong as well. So here we go again... Serial number + Issuer MUST indeed be unique within a CA. Therefore the following was interpreted as incorrect: Issuer: Root Serial: 1 Subject: Root Issuer: Root Ser