[xmlsec] RE: FW: X509SerialNumber

Rich Salz rsalz at datapower.com
Sun Sep 5 20:32:36 PDT 2004

> Assuming an audit is done in the future, how do you identify the issuer
> certificate?

Not to be flip, but that's the issuer's problem.  If the issuer wants to
ensure that it is properly identified, it must arrange to put some kind of
identifier in the certificates that it creates.  Yes, you can

> I thought that subject name alone does not guarantee
> uniqueness. That is the point--if I understand it correctly :-)--of having a
> serial number. Subject and serial together provide uniqueness.

No they don't.  Two different CA's can issue a certificate with the name
subjectDN and serialNumber.  The *only* guaranttee X509 makes about
uniqueness is that a CA will never issue two different certificates with
the same serial number.  So issuer/serial# uniquely identifies an issued

How do you uniquely identify the CA?  Often, just verifying the signature
in the cert is enough.  But if the same CA has multiple certs, then you
have to recurse and get the CA's issuer/serial#, and so on.

> Otherwise how would you find the issuer certificate at a later date without
> being able to provide the CA with the serial number of the certificate you
> wish to verify against?

Before deciding to trust a cert, you have to already have accepted the
issuer's certificate.  Or somewhere up the chain.  That's kinda how PKI

> Besides that, <X509SerialNumber> is contained within the <X509IssuerSerial>
> node! Why would that refer to anything BUT the issuer data?

Because that's not the way it works.  To uniquely a identify a cert issued
by ca "c=us,dn=FooBar" you need the serialNumber that FooBar assigned.

That's just the way it is.


Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html

More information about the xmlsec mailing list