AW: Max length of serial number

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

AW: Max length of serial number

thomas.beckmann
Richard,

as far as I read the text from the RFC, they are talkin about non-negative
numbers. So the range is from 0 to 2^(159)-1 because the one bit missing
indicates a negative number.

Best regards

Thomas Beckmann

> -----Urspr√ľngliche Nachricht-----
> Von: [hidden email]
> [mailto:[hidden email]]Im Auftrag von Richard Levitte
> Gesendet: Montag, 18. Juli 2005 15:42
> An: [hidden email]
> Cc: Jorey Bump
> Betreff: Re: Max length of serial number
>
>
> Jorey Bump writes:
>
> > And RFC 3280 has this to say:
> >
> > 4.1.2.2  Serial number
> >
> >    The serial number MUST be a positive integer assigned by
> the CA to
> >    each certificate.  It MUST be unique for each
> certificate issued by a
> >    given CA (i.e., the issuer name and serial number
> identify a unique
> >    certificate).  CAs MUST force the serialNumber to be a
> non-negative
> >    integer.
> >
> >    Given the uniqueness requirements above, serial numbers can be
> >    expected to contain long integers.  Certificate users
> MUST be able to
> >    handle serialNumber values up to 20 octets.  Conformant
> CAs MUST NOT
> >    use serialNumber values longer than 20 octets.
> >
> >    Note: Non-conforming CAs may issue certificates with
> serial numbers
> >    that are negative, or zero.  Certificate users SHOULD be
> prepared to
> >    gracefully handle such certificates.
> >
> > I guess this limits serial numbers to 20 numeric characters,
>
> You do realise, don't you, that 20 octets isn't the same as
> 20 numeric
> characters?
>
> This means that your serial number span is 0 to 2^(8*20)-1,
> which is 2^160
> different value.  That's enough to give every atom in the
> known universe a
> few certs each.  I bet that's enough for your purposes :-).
>
> Cheers,
> Richard
>
>  -----
> Please consider sponsoring my work on free software.
> See http://www.free.lp.se/sponsoring.html for details.
>
> --
> Richard Levitte                         [hidden email]
>                                        http://richard.levitte.org/ 
>
> "When I became a man I put away childish things, including
> the fear of childishness and the desire to be very grown up."
>                                                -- C.S. Lewis
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AW: Max length of serial number

Richard Levitte - VMS Whacker
[hidden email] writes:

> as far as I read the text from the RFC, they are talkin about non-negative
> numbers. So the range is from 0 to 2^(159)-1 because the one bit missing
> indicates a negative number.

True.  That doesn't change my point, though :-).

Cheers,
Richard

 -----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

--
Richard Levitte                         [hidden email]
                                       http://richard.levitte.org/ 

"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
                                               -- C.S. Lewis

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]