Return-Path: Delivered-To: apmail-xml-security-dev-archive@www.apache.org Received: (qmail 75220 invoked from network); 29 Aug 2005 19:07:33 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 29 Aug 2005 19:07:33 -0000 Received: (qmail 82920 invoked by uid 500); 29 Aug 2005 19:07:31 -0000 Delivered-To: apmail-xml-security-dev-archive@xml.apache.org Received: (qmail 82907 invoked by uid 500); 29 Aug 2005 19:07:31 -0000 Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: security-dev@xml.apache.org List-Id: Delivered-To: mailing list security-dev@xml.apache.org Received: (qmail 82894 invoked by uid 99); 29 Aug 2005 19:07:30 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Aug 2005 12:07:30 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [194.25.134.17] (HELO mailout02.sul.t-online.com) (194.25.134.17) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Aug 2005 12:07:45 -0700 Received: from fwd31.aul.t-online.de by mailout02.sul.t-online.com with smtp id 1E9oyd-0000kz-02; Mon, 29 Aug 2005 21:07:27 +0200 Received: from [84.152.56.159] (rxH9NYZCgej4bt6Wf+R7o0VNmRuI28DIe4Xn70wXdPpkgNKS4aN3Yc@[84.152.56.159]) by fwd31.sul.t-online.de with esmtp id 1E9oyR-1UOyw40; Mon, 29 Aug 2005 21:07:15 +0200 Message-ID: <43135E02.9030200@t-online.de> Date: Mon, 29 Aug 2005 21:12:02 +0200 From: Werner Dittmann User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: security-dev@xml.apache.org Subject: Re: How to uniquely identify a X509 Certificate ? References: <20050829165247.31442.qmail@web34509.mail.mud.yahoo.com> In-Reply-To: <20050829165247.31442.qmail@web34509.mail.mud.yahoo.com> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-ID: rxH9NYZCgej4bt6Wf+R7o0VNmRuI28DIe4Xn70wXdPpkgNKS4aN3Yc X-TOI-MSGID: 3baacf76-3416-498e-b43b-bc9b77302b02 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N There are several ways: the issuername/issuer serial will uniquely identify a certificate. Each issuer of a cert (a trusted certifcate authority, CA) will never use a serial number twice. Thus this compination is unique. Similar for Subject Key Identifier (SKI), available only in V3 certs, uniquely identifies a cert (AFAI RFC3288 describes the alog to compute the SKI, its a SHA-1 hash of the subject's public key. Regards, Werner Tech Rams wrote: > Couple of points actually > 1. Not sure how you can avoid signature verification - > the very reason a signature is provided is to ensure > that data is not modified on the way (plus sender > authentication). This means you will have to verify > the signature for every message you receive. > > 2. one way to uniquely identify a certificate is using > the issuer's DN and serial #. You can get that info > from the certificate. If it is a V3 certificate you > can also use Subject Key Identifier along with the > Subject DN. But I am not sure that could be unique > across certificates issued to the same DN across > multiple CAs. If that risk is not there, you can use > that. > > > > > --- Miha Vidmar wrote: > > >>Hi, >> >>I'm having a similar sort of a problem, only I'm >>validating certificate >>chains. >> >>A unique identifier for certificates could be Issuer >>and certificate serial >>number and are relatively easy to obtain. >> >>For you i would recommend comparing Issuer.SubjectDN >>and current certificate >>serial number. But it's not 100% safe, since >>multiple CA's can have the same >>SubjectDN (not likely, unless somebody is trying to >>hack). I have yet to >>figure out how to compare Certificate Authority Key >>Identifiers, which would >>be safe to use. >> >>Miha >> >>-----Original Message----- >>From: Kr [mailto:babloosony@gmail.com] >>Sent: Monday, August 29, 2005 3:24 PM >>To: security-dev@xml.apache.org >>Subject: How to uniquely identify a X509 Certificate >>? >> >>Hi All, >> >>Basically I am doing the w3c's >>xml-signature-verification-process for a web >>service on the sevrver side. For this I extract the >>certificate from the >>signature and compare it between requests. Say if I >>get the request for the >>first time then I'll extract the certificate as >>bytes and compute the >>message digest and put it in a java HashMap as key >>(key being Certificates's >>SubjectDN) value object. Next time when the same >>request comes then I'll >>repeat the above process and compare the digest with >>the HashMap values and >>if a match is found then I would avoid signature >>verifiation process. Using >>all this I want to save the time consumed by >>xml-signatuere verification >>process. >> >>Now my question is, how to uniquely identify a >>certificate. If I open the >>X509 Version 3 Certificate using tools like java >>keytool, KeyStore Explorer >>then I can MD5-Fingerprint and SHA1-Fingerprint and >>I guess these are unique >>to a certficate. Are these fingerprints unique for a >>certificate ? If my >>understanding is correct then are there any java >>API's available for us to >>extract these fingerprints and help me in uniquely >>identifying the >>certificates. >> >>Please suggest ... >> >> >>Thanks & Regards, >>Kr. >> > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com >