- From: EKR <ekr@rtfm.com>
- Date: 10 May 2000 13:05:23 -0700
- To: w3c-ietf-xmldsig@w3.org
Carl Ellison <cme@jf.intel.com> writes: > (issuer,serial number) is from the X.509 world and is one of the ways X.509 > is broken. > > "issuer" is a DN and might identify an issuer, if DN's were from a > singly-rooted name space, as was the original plan in X.500. DN's are not > singly-rooted and never will be -- so using a DN as an identifier is broken. Carl, Can you cite any actual real world [0] scenario where two certificates have had the same issuer/serial and been issued by different issuers? If not, it's hard to take this objection very seriously. -Ekr [0] By real world, I'm explicitly including cases where the same entity has generated two keys with the same DN. Obviously, this has the potential for confusion, but that can happen even in a singly rooted namespace.
Received on Wednesday, 10 May 2000 16:04:31 UTC