[xmlsec] RE: FW: X509SerialNumber

Wes Thomas wes at encomia.com
Thu Sep 2 10:29:43 PDT 2004

Assuming an audit is done in the future, how do you identify the issuer
certificate? I thought that subject name alone does not guarantee
uniqueness. That is the point--if I understand it correctly :-)--of having a
serial number. Subject and serial together provide uniqueness.

Otherwise how would you find the issuer certificate at a later date without
being able to provide the CA with the serial number of the certificate you
wish to verify against?

Besides that, <X509SerialNumber> is contained within the <X509IssuerSerial>
node! Why would that refer to anything BUT the issuer data?

-----Original Message-----
From: Aleksey Sanin [mailto:aleksey at aleksey.com] 
Sent: Thursday, September 02, 2004 11:57 AM
To: Wes Thomas
Cc: xmlsec at aleksey.com
Subject: Re: FW: X509SerialNumber

No, I think you are mistaken. "Issuer serial" is the serial number of this
certificate and it is unique for all certificates from this issuer. Thus the
certificate can be identified by the issuer name and the "issuer serial
number" of the certificate.


Wes Thomas wrote:
> Does the X509SerialNumber node within the X509IssuerSerial node, *NOT* 
> refer to the serial number for the issuer certificate?
> <X509IssuerSerial> 
> 	<X509IssuerName>My CA for Certificate A</X509IssuerName>
> 	<X509SerialNumber>12345678</X509SerialNumber>
> </X509IssuerSerial>
> The way I read
> http://www.w3.org/TR/2000/WD-xmldsig-core-20000510/#sec-X509Data and 
> the example they give (listed above), the X509SerialNumber should 
> contain the issuer's serial number, NOT the serial number of the 
> certificate used for signing. Is this correct?

More information about the xmlsec mailing list