- From: Tom Gindin <tgindin@us.ibm.com>
- Date: Wed, 28 Mar 2001 12:11:47 -0500
- To: "Glenn Adams" <gadams@vgi.com>
- Cc: <kgold@watson.ibm.com>, <w3c-ietf-xmldsig@w3.org>
AFAIK there is at least one commercial CA vendor who
CHARACTERISTICALLY produces 128-bit or longer serial numbers with values
which do not appear to be sequentially assigned. If you have an installed
copy of Netscape's browser, and look at the Class 3 Public Primary
Certification Authority from Verisign, you'll see a 128-bit serial number
starting with hex 7D. I can only speculate how these numbers were actually
assigned - if you're interested you can ask somebody who really knows.
I can't see any 160-bit values, and you can take that part of what I
told Ken as my vague and unreliable recollection.
Tom Gindin
"Glenn Adams" <gadams@vgi.com>@w3.org on 03/28/2001 11:18:16 AM
Sent by: w3c-ietf-xmldsig-request@w3.org
To: <kgold@watson.ibm.com>
cc: <w3c-ietf-xmldsig@w3.org>
Subject: Re: X509SerialNumber schema
> Date: Fri, 9 Mar 2001 15:30:22 -0500
> Message-Id: <200103092030.PAA35236@alpha.watson.ibm.com>
> From: Ken Goldman <kgold@watson.ibm.com>
> To: w3c-ietf-xmldsig@w3.org
> Subject: X509SerialNumber schema
...
> Assuming that (1) is right - If I have an X509SerialNumber from a
> certificate that is a long string of bits (Tom Ginden mentioned back on
> July that some certificates use a hash value of 160 bits) doesn't the
> binary to decimal conversion become computationally painful.
Are you certain this hash is used for CertificateSerialNumber as opposed to
using it for
SubjectKeyIdentifier? RFC2459 Section 4.2.1.2 describes such a hash to be
used
for SubectKeyIdentifier.
Regards,
Glenn Adams
Received on Wednesday, 28 March 2001 12:11:53 UTC