OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [wss] New Issue: Key Identifiers Should Not Be Used for Signa tures

Rich - X.509 and PKIX state that CAs MUST NOT reuse serial numbers.  So, you
are right.  Relying parties MUST ensure that the CAs they recognize conform
to X.509 or PKIX.  Then, provided we reference certificates by
issuer/serial, the certificate substitution attack is thwarted.  All the
best.  Tim.

-----Original Message-----
From: Rich Salz [mailto:rsalz@datapower.com]
Sent: Tuesday, June 17, 2003 2:33 PM
To: Tim Moses
Cc: 'merlin'; Hal Lockhart; wss@lists.oasis-open.org
Subject: Re: [wss] New Issue: Key Identifiers Should Not Be Used for
Signa tures


> The CMS approach works provided CAs use a different serial number in every
> certificate they issue.

Re-using serial numbers makes them non-conformant, doesn't it?
	/r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]