RE: Recommendation on subject matching rules needed..

["Olle Mulmo" <mulmo@xxxxxxxxxx>]

I don't follow the logic here... If hash of issuer+serial is used, won't
the same issue happen upon revalidation of the key pair (that is, when
the original certificate expires)? Or am I more or less required to do a
key replacement operation (or changeover, or whatever the correct
terminology is) at that point?

/Olle

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Peter Gutmann
Sent: den 11 mars 2003 12:53
To: ietf-pkix@xxxxxxx; Saku.Vainikainen@xxxxxxxx
Subject: Re: Recommendation on subject matching rules needed..



"Vainikainen Saku EINT" <Saku.Vainikainen@xxxxxxxx> writes:

>It seems that all the software we have tested (eg. MSoft, Utimaco)

Everyone, not just those two.

>tend to do somekind of binary comparison (hash values I suppose) 

issuerAndSerialNumber.

>The only problem is that the encryption key pair may have been
>recertified in between.

Therein lies the problem: Don't issue multiple certificates for the
same key.  If you "recover the archived encryption keypair" why not
recover the cert that goes with it?

(NB: Saying "We need to be able to issue a new encryption cert because
 we revoke the old one" isn't valid because the private key is still in
 use, so revoking the old cert is pointless).

Peter.