santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steele Matthew" <steele_matt...@bah.com>
Subject RE: How to uniquely identify a X509 Certificate ?
Date Mon, 29 Aug 2005 19:30:02 GMT
The Online Certificate Status Protocol (OCSP - RFC 2560) handles these
issues by also requiring a hash of the issuer's public key to further
ensure proper identification of the issuer.  This can be difficult
though since it usually requires a copy of the issuer's certificate.
But I would echo the concern earlier in the thread - you shouldn't avoid
doing signature verification just because you have cached a copy of the
certificate.

Matt

-----Original Message-----
From: Jesse Pelton [mailto:jsp@PKC.com] 
Sent: Monday, August 29, 2005 3:24 PM
To: security-dev@xml.apache.org
Subject: RE: How to uniquely identify a X509 Certificate ?

This assumes, of course, that issuer names are unique.  This is
obviously a desireable property of such names, and I've always assumed
that it's the case, but I don't know if there's any mechanism that
guarantees it.  Is there a global registry of CAs or something similar?

> -----Original Message-----
> From: Werner Dittmann [mailto:Werner.Dittmann@t-online.de] 
> Sent: Monday, August 29, 2005 3:12 PM
> To: security-dev@xml.apache.org
> Subject: Re: How to uniquely identify a X509 Certificate ?
> 
> There are several ways:
> the issuername/issuer serial will uniquely identify a
> certificate. Each issuer of a cert (a trusted certifcate
> authority, CA) will never use a serial number twice. Thus
> this compination is unique.
> 
> Similar for Subject Key Identifier (SKI), available only
> in V3 certs, uniquely identifies a cert (AFAI RFC3288
> describes the alog to compute the SKI, its a SHA-1 hash
> of the subject's public key.
> 
> Regards,
> Werner
> 
> Tech Rams wrote:
> > Couple of points actually
> > 1. Not sure how you can avoid signature verification -
> > the very reason a signature is provided is to ensure
> > that data is not modified on the way (plus sender
> > authentication). This means you will have to verify
> > the signature for every message you receive.
> > 
> > 2. one way to uniquely identify a certificate is using
> > the issuer's DN and serial #. You can get that info
> > from the certificate. If it is a V3 certificate you
> > can also use Subject Key Identifier along with the
> > Subject DN. But I am not sure that could be unique
> > across certificates issued to the same DN across
> > multiple CAs. If that risk is not there, you can use
> > that.
> > 
> > 
> > 
> > 
> > --- Miha Vidmar <miha.vidmar@hermes.si> wrote:
> > 
> > 
> >>Hi,
> >>
> >>I'm having a similar sort of a problem, only I'm
> >>validating certificate
> >>chains. 
> >>
> >>A unique identifier for certificates could be Issuer
> >>and certificate serial
> >>number and are relatively easy to obtain.
> >>
> >>For you i would recommend comparing Issuer.SubjectDN
> >>and current certificate
> >>serial number. But it's not 100% safe, since
> >>multiple CA's can have the same
> >>SubjectDN (not likely, unless somebody is trying to
> >>hack). I have yet to
> >>figure out how to compare Certificate Authority Key
> >>Identifiers, which would
> >>be safe to use.
> >>
> >>Miha
> >>
> >>-----Original Message-----
> >>From: Kr [mailto:babloosony@gmail.com] 
> >>Sent: Monday, August 29, 2005 3:24 PM
> >>To: security-dev@xml.apache.org
> >>Subject: How to uniquely identify a X509 Certificate
> >>?
> >>
> >>Hi All,
> >>
> >>Basically I am doing the w3c's
> >>xml-signature-verification-process for a web
> >>service on the sevrver side. For this I extract the
> >>certificate from the
> >>signature and compare it between requests. Say if I
> >>get the request for the
> >>first time then I'll extract the certificate as
> >>bytes and compute the
> >>message digest and put it in a java HashMap as key
> >>(key being Certificates's
> >>SubjectDN) value object. Next time when the same
> >>request comes then I'll
> >>repeat the above process and compare the digest with
> >>the HashMap values and
> >>if a match is found then I would avoid signature
> >>verifiation process. Using
> >>all this I want to save the time consumed by
> >>xml-signatuere verification
> >>process.
> >>
> >>Now my question is, how to uniquely identify a
> >>certificate. If I open the
> >>X509 Version 3 Certificate using tools like java
> >>keytool, KeyStore Explorer
> >>then I can MD5-Fingerprint and SHA1-Fingerprint and
> >>I guess these are unique
> >>to a certficate. Are these fingerprints unique for a
> >>certificate ? If my
> >>understanding is correct then are there any java
> >>API's available for us to
> >>extract these fingerprints and help me in uniquely
> >>identifying the
> >>certificates.
> >>
> >>Please suggest ...
> >>
> >>
> >>Thanks & Regards,
> >>Kr.

Mime
View raw message