Re: [IETF-PKIX] Key Identifiers

[Rich Ankney <rankney@xxxxxxxxx>]

Key IDs are only guaranteed to be unique within the given subject
name, not globally (see X.509 etc.).  If one uses the SHA-1 hash
of the public key, there's a good chance it's globally unique, but
use of the hash is not a requirement of PKIX.

Regards,
Rich

----------
> From: Ian Roberts <iroberts@zergo.com>
> To: IETF-PKIX@LISTS.TANDEM.COM
> Subject: Re: [IETF-PKIX] Key Identifiers
> Date: Friday, April 17, 1998 11:45 AM
>
> The discussion on Key Identifiers lead me down the following chain of
> thought;
>
> If the Key Identifier is useful for building a path, then it would be
useful
> to be able to query a directory server for certificates containing keys
with
> a given key identifier.
>
> If directory servers become sufficiently large (for example, the size of
the
> Altavista search engine) then a lookup of a large number of certificates
by
> Key Identifier should be possible within a couple of seconds (with many
> occurring concurrently).
>
> If the directory server contained 200 million certificates, then a
possible
> attack would be to generate key sets and then query the directory server
for
> matches.  This would give someone with a fairly low-spec machine the
ability
> to search several hundred million keys per second.
>
> Ian Roberts
> --
> Zergo Limited, The Square, Basing View, Basingstoke, Hants. RG21 4EG, UK
> Tel: + 44 (0) 1442 342 600    Fax: +44 (0) 1256 812 901
> Website:  http://www.zergo.com