Re: XML certificate ... from EKR on 2000-05-10 (w3c-ietf-xmldsig@w3.org from April to June 2000)

From: EKR <ekr@rtfm.com>
Date: 10 May 2000 13:05:23 -0700
To: w3c-ietf-xmldsig@w3.org
Message-ID: <kjsnvqyxvg.fsf@romeo.rtfm.com>

Carl Ellison <cme@jf.intel.com> writes:
> (issuer,serial number) is from the X.509 world and is one of the ways X.509 
> is broken.
> 
> "issuer" is a  DN and might identify an issuer, if DN's were from a 
> singly-rooted name space, as was the original plan in X.500.  DN's are not 
> singly-rooted and never will be -- so using a DN as an identifier is broken.
Carl,

Can you cite any actual real world [0] scenario where two certificates
have had the same issuer/serial and been issued by different issuers? 
If not, it's hard to take this objection very seriously.

-Ekr

[0] By real world, I'm explicitly including cases where the same 
entity has generated two keys with the same DN. Obviously, this
has the potential for confusion, but that can happen even in a
singly rooted namespace.

Received on Wednesday, 10 May 2000 16:04:31 UTC