[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Multiple certificates for same key?

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Multiple certificates for same key?
From: Bob Jueneman <BJUENEMAN@xxxxxxxxxx>
Date: Mon, 9 Mar 1998 20:11:19 -0700
Approved-by: Bob Jueneman <BJUENEMAN@NOVELL.COM>
Comments: To: dwightarthur@MINDSPRING.COM
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

>If I understand correctly, there is a scenario for cross-certification
>whereby I retrieve your public key from a directory (where it may be
>stored as a key, or it may be sealed into a certificate) and then I
>issue a certificate containing your public key signed by me.
>
>If this is accurate, it follows that there will be many certificates
>extant containing the same public key.
>
>Another issue: any ambiguity which may proceed from the intentional
>issuance of two different certs against one key pair, will also apply
>whenever random processes or operational errors produce identical key
>pairs for different users. Although we can prefer that this not happen
>we cannot prevent it by mandate, therefore the infrastructure must be
>sufficiently robust that it not fail when this condition is encountered.
>
>-Dwight

Both valid points, and among the reasons why I didn't say "never".

Bob

Prev by Date: [IETF-PKIX] registering company object identifiers
Next by Date: [IETF-PKIX] OCSP using ASN.1
Previous by thread: [IETF-PKIX] Multiple certificates for same key?
Next by thread: Re: [IETF-PKIX] Multiple certificates for same key?
Index(es):
- Date
- Thread