[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [wss] New Issue: Key Identifiers Should Not Be Used for Signa tures
Rich - X.509 and PKIX state that CAs MUST NOT reuse serial numbers. So, you are right. Relying parties MUST ensure that the CAs they recognize conform to X.509 or PKIX. Then, provided we reference certificates by issuer/serial, the certificate substitution attack is thwarted. All the best. Tim. -----Original Message----- From: Rich Salz [mailto:rsalz@datapower.com] Sent: Tuesday, June 17, 2003 2:33 PM To: Tim Moses Cc: 'merlin'; Hal Lockhart; wss@lists.oasis-open.org Subject: Re: [wss] New Issue: Key Identifiers Should Not Be Used for Signa tures > The CMS approach works provided CAs use a different serial number in every > certificate they issue. Re-using serial numbers makes them non-conformant, doesn't it? /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]