santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Werner Dittmann <Werner.Dittm...@t-online.de>
Subject Re: How to uniquely identify a X509 Certificate ?
Date Mon, 29 Aug 2005 19:12:02 GMT
There are several ways:
the issuername/issuer serial will uniquely identify a
certificate. Each issuer of a cert (a trusted certifcate
authority, CA) will never use a serial number twice. Thus
this compination is unique.

Similar for Subject Key Identifier (SKI), available only
in V3 certs, uniquely identifies a cert (AFAI RFC3288
describes the alog to compute the SKI, its a SHA-1 hash
of the subject's public key.

Regards,
Werner

Tech Rams wrote:
> Couple of points actually
> 1. Not sure how you can avoid signature verification -
> the very reason a signature is provided is to ensure
> that data is not modified on the way (plus sender
> authentication). This means you will have to verify
> the signature for every message you receive.
> 
> 2. one way to uniquely identify a certificate is using
> the issuer's DN and serial #. You can get that info
> from the certificate. If it is a V3 certificate you
> can also use Subject Key Identifier along with the
> Subject DN. But I am not sure that could be unique
> across certificates issued to the same DN across
> multiple CAs. If that risk is not there, you can use
> that.
> 
> 
> 
> 
> --- Miha Vidmar <miha.vidmar@hermes.si> wrote:
> 
> 
>>Hi,
>>
>>I'm having a similar sort of a problem, only I'm
>>validating certificate
>>chains. 
>>
>>A unique identifier for certificates could be Issuer
>>and certificate serial
>>number and are relatively easy to obtain.
>>
>>For you i would recommend comparing Issuer.SubjectDN
>>and current certificate
>>serial number. But it's not 100% safe, since
>>multiple CA's can have the same
>>SubjectDN (not likely, unless somebody is trying to
>>hack). I have yet to
>>figure out how to compare Certificate Authority Key
>>Identifiers, which would
>>be safe to use.
>>
>>Miha
>>
>>-----Original Message-----
>>From: Kr [mailto:babloosony@gmail.com] 
>>Sent: Monday, August 29, 2005 3:24 PM
>>To: security-dev@xml.apache.org
>>Subject: How to uniquely identify a X509 Certificate
>>?
>>
>>Hi All,
>>
>>Basically I am doing the w3c's
>>xml-signature-verification-process for a web
>>service on the sevrver side. For this I extract the
>>certificate from the
>>signature and compare it between requests. Say if I
>>get the request for the
>>first time then I'll extract the certificate as
>>bytes and compute the
>>message digest and put it in a java HashMap as key
>>(key being Certificates's
>>SubjectDN) value object. Next time when the same
>>request comes then I'll
>>repeat the above process and compare the digest with
>>the HashMap values and
>>if a match is found then I would avoid signature
>>verifiation process. Using
>>all this I want to save the time consumed by
>>xml-signatuere verification
>>process.
>>
>>Now my question is, how to uniquely identify a
>>certificate. If I open the
>>X509 Version 3 Certificate using tools like java
>>keytool, KeyStore Explorer
>>then I can MD5-Fingerprint and SHA1-Fingerprint and
>>I guess these are unique
>>to a certficate. Are these fingerprints unique for a
>>certificate ? If my
>>understanding is correct then are there any java
>>API's available for us to
>>extract these fingerprints and help me in uniquely
>>identifying the
>>certificates.
>>
>>Please suggest ...
>>
>>
>>Thanks & Regards,
>>Kr.
>>
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 


Mime
View raw message