santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesse Pelton" <...@PKC.com>
Subject RE: (OT) How to uniquely identify a X509 Certificate ?
Date Mon, 29 Aug 2005 19:39:02 GMT
Sorry, I should have marked my question as off-topic, especially since I
was just curious.  From your post and Scott's, it sounds like this isn't
as tight as it ought to be.

Back on topic, I also have doubts about the wisdom of skipping signature
verification. 

> -----Original Message-----
> From: Steele Matthew [mailto:steele_matthew@bah.com] 
> Sent: Monday, August 29, 2005 3:30 PM
> To: security-dev@xml.apache.org
> Subject: RE: How to uniquely identify a X509 Certificate ?
> 
> The Online Certificate Status Protocol (OCSP - RFC 2560) handles these
> issues by also requiring a hash of the issuer's public key to further
> ensure proper identification of the issuer.  This can be difficult
> though since it usually requires a copy of the issuer's certificate.
> But I would echo the concern earlier in the thread - you 
> shouldn't avoid
> doing signature verification just because you have cached a 
> copy of the
> certificate.
> 
> Matt
> 
> -----Original Message-----
> From: Jesse Pelton [mailto:jsp@PKC.com] 
> Sent: Monday, August 29, 2005 3:24 PM
> To: security-dev@xml.apache.org
> Subject: RE: How to uniquely identify a X509 Certificate ?
> 
> This assumes, of course, that issuer names are unique.  This is
> obviously a desireable property of such names, and I've always assumed
> that it's the case, but I don't know if there's any mechanism that
> guarantees it.  Is there a global registry of CAs or 
> something similar?
> 
> > -----Original Message-----
> > From: Werner Dittmann [mailto:Werner.Dittmann@t-online.de] 
> > Sent: Monday, August 29, 2005 3:12 PM
> > To: security-dev@xml.apache.org
> > Subject: Re: How to uniquely identify a X509 Certificate ?
> > 
> > There are several ways:
> > the issuername/issuer serial will uniquely identify a
> > certificate. Each issuer of a cert (a trusted certifcate
> > authority, CA) will never use a serial number twice. Thus
> > this compination is unique.
> > 
> > Similar for Subject Key Identifier (SKI), available only
> > in V3 certs, uniquely identifies a cert (AFAI RFC3288
> > describes the alog to compute the SKI, its a SHA-1 hash
> > of the subject's public key.
> > 
> > Regards,
> > Werner
> > 
> > Tech Rams wrote:
> > > Couple of points actually
> > > 1. Not sure how you can avoid signature verification -
> > > the very reason a signature is provided is to ensure
> > > that data is not modified on the way (plus sender
> > > authentication). This means you will have to verify
> > > the signature for every message you receive.
> > > 
> > > 2. one way to uniquely identify a certificate is using
> > > the issuer's DN and serial #. You can get that info
> > > from the certificate. If it is a V3 certificate you
> > > can also use Subject Key Identifier along with the
> > > Subject DN. But I am not sure that could be unique
> > > across certificates issued to the same DN across
> > > multiple CAs. If that risk is not there, you can use
> > > that.
> > > 
> > > 
> > > 
> > > 
> > > --- Miha Vidmar <miha.vidmar@hermes.si> wrote:
> > > 
> > > 
> > >>Hi,
> > >>
> > >>I'm having a similar sort of a problem, only I'm
> > >>validating certificate
> > >>chains. 
> > >>
> > >>A unique identifier for certificates could be Issuer
> > >>and certificate serial
> > >>number and are relatively easy to obtain.
> > >>
> > >>For you i would recommend comparing Issuer.SubjectDN
> > >>and current certificate
> > >>serial number. But it's not 100% safe, since
> > >>multiple CA's can have the same
> > >>SubjectDN (not likely, unless somebody is trying to
> > >>hack). I have yet to
> > >>figure out how to compare Certificate Authority Key
> > >>Identifiers, which would
> > >>be safe to use.
> > >>
> > >>Miha
> > >>
> > >>-----Original Message-----
> > >>From: Kr [mailto:babloosony@gmail.com] 
> > >>Sent: Monday, August 29, 2005 3:24 PM
> > >>To: security-dev@xml.apache.org
> > >>Subject: How to uniquely identify a X509 Certificate
> > >>?
> > >>
> > >>Hi All,
> > >>
> > >>Basically I am doing the w3c's
> > >>xml-signature-verification-process for a web
> > >>service on the sevrver side. For this I extract the
> > >>certificate from the
> > >>signature and compare it between requests. Say if I
> > >>get the request for the
> > >>first time then I'll extract the certificate as
> > >>bytes and compute the
> > >>message digest and put it in a java HashMap as key
> > >>(key being Certificates's
> > >>SubjectDN) value object. Next time when the same
> > >>request comes then I'll
> > >>repeat the above process and compare the digest with
> > >>the HashMap values and
> > >>if a match is found then I would avoid signature
> > >>verifiation process. Using
> > >>all this I want to save the time consumed by
> > >>xml-signatuere verification
> > >>process.
> > >>
> > >>Now my question is, how to uniquely identify a
> > >>certificate. If I open the
> > >>X509 Version 3 Certificate using tools like java
> > >>keytool, KeyStore Explorer
> > >>then I can MD5-Fingerprint and SHA1-Fingerprint and
> > >>I guess these are unique
> > >>to a certficate. Are these fingerprints unique for a
> > >>certificate ? If my
> > >>understanding is correct then are there any java
> > >>API's available for us to
> > >>extract these fingerprints and help me in uniquely
> > >>identifying the
> > >>certificates.
> > >>
> > >>Please suggest ...
> > >>
> > >>
> > >>Thanks & Regards,
> > >>Kr.
> 

Mime
View raw message