Re: X509SerialNumber schema

     AFAIK there is at least one commercial CA vendor who
CHARACTERISTICALLY produces 128-bit or longer serial numbers with values
which do not appear to be sequentially assigned.  If you have an installed
copy of Netscape's browser, and look at the Class 3 Public Primary
Certification Authority from Verisign, you'll see a 128-bit serial number
starting with hex 7D.  I can only speculate how these numbers were actually
assigned - if you're interested you can ask somebody who really knows.
     I can't see any 160-bit values, and you can take that part of what I
told Ken as my vague and unreliable recollection.

          Tom Gindin

"Glenn Adams" <> on 03/28/2001 11:18:16 AM

Sent by:

To:   <>
cc:   <>
Subject:  Re: X509SerialNumber schema

> Date: Fri, 9 Mar 2001 15:30:22 -0500
> Message-Id: <>
> From: Ken Goldman <>
> To:
> Subject: X509SerialNumber schema


> Assuming that (1) is right - If I have an X509SerialNumber from a
> certificate that is a long string of bits (Tom Ginden mentioned back on
> July that some certificates use a hash value of 160 bits) doesn't the
> binary to decimal conversion become computationally painful.

Are you certain this hash is used for CertificateSerialNumber as opposed to
using it for
SubjectKeyIdentifier? RFC2459 Section describes such a hash to be
for SubectKeyIdentifier.

Glenn Adams

Received on Wednesday, 28 March 2001 12:11:53 UTC