W3C home > Mailing lists > Public > w3c-ietf-xmldsig@w3.org > January to March 2001

Re: X509SerialNumber schema

From: Glenn Adams <gadams@vgi.com>
Date: Wed, 28 Mar 2001 12:18:38 -0500
Message-ID: <003101c0b7ab$216b3aa0$26020001@vgi.com>
To: "Tom Gindin" <tgindin@us.ibm.com>
Cc: <kgold@watson.ibm.com>, <w3c-ietf-xmldsig@w3.org>
Yes, I just looked at a variety of VeriSign certificates, and they all seem to
use 128-bit serial numbers. I'm beginning to believe Ken has a good suggestion
regardring the use of ds:CrytoBinary rather than Integer as the type for
X509SerialNumber.

Regards,
Glenn

----- Original Message -----
From: "Tom Gindin" <tgindin@us.ibm.com>
To: "Glenn Adams" <gadams@vgi.com>
Cc: <kgold@watson.ibm.com>; <w3c-ietf-xmldsig@w3.org>
Sent: Wednesday, March 28, 2001 12:11 PM
Subject: Re: X509SerialNumber schema


>
>      AFAIK there is at least one commercial CA vendor who
> CHARACTERISTICALLY produces 128-bit or longer serial numbers with values
> which do not appear to be sequentially assigned.  If you have an installed
> copy of Netscape's browser, and look at the Class 3 Public Primary
> Certification Authority from Verisign, you'll see a 128-bit serial number
> starting with hex 7D.  I can only speculate how these numbers were actually
> assigned - if you're interested you can ask somebody who really knows.
>      I can't see any 160-bit values, and you can take that part of what I
> told Ken as my vague and unreliable recollection.
>
>           Tom Gindin
>
>
> "Glenn Adams" <gadams@vgi.com>@w3.org on 03/28/2001 11:18:16 AM
>
> Sent by:  w3c-ietf-xmldsig-request@w3.org
>
>
> To:   <kgold@watson.ibm.com>
> cc:   <w3c-ietf-xmldsig@w3.org>
> Subject:  Re: X509SerialNumber schema
>
>
>
> > Date: Fri, 9 Mar 2001 15:30:22 -0500
> > Message-Id: <200103092030.PAA35236@alpha.watson.ibm.com>
> > From: Ken Goldman <kgold@watson.ibm.com>
> > To: w3c-ietf-xmldsig@w3.org
> > Subject: X509SerialNumber schema
>
> ...
>
> > Assuming that (1) is right - If I have an X509SerialNumber from a
> > certificate that is a long string of bits (Tom Ginden mentioned back on
> > July that some certificates use a hash value of 160 bits) doesn't the
> > binary to decimal conversion become computationally painful.
>
> Are you certain this hash is used for CertificateSerialNumber as opposed to
> using it for
> SubjectKeyIdentifier? RFC2459 Section 4.2.1.2 describes such a hash to be
> used
> for SubectKeyIdentifier.
>
> Regards,
> Glenn Adams
>
>
>
Received on Wednesday, 28 March 2001 12:19:55 GMT

This archive was generated by hypermail 2.2.0 + w3c-0.29 : Thursday, 13 January 2005 12:10:12 GMT