From owner-spki@c2.net Wed May 26 17:52:18 1999 Received: from blacklodge.c2.net (blacklodge.c2.net [140.174.185.245]) by lox.sandelman.ottawa.on.ca (8.8.7/8.8.8) with ESMTP id RAA03644; Wed, 26 May 1999 17:52:16 -0400 (EDT) Received: (from majordom@localhost) by blacklodge.c2.net (8.8.8/8.7.3) id OAA01633 for spki-outgoing; Wed, 26 May 1999 14:00:56 -0700 (PDT) To: Tony Bartoletti Cc: Ed Gerck , spki@c2.net Subject: Re: X.509 ACs vs. SPKI? References: <3.0.3.32.19990526102609.00ad5690@poptop.llnl.gov> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII From: nisse@lysator.liu.se (Niels =?ISO-8859-1?Q?M=F6ller?=) Date: 26 May 1999 23:00:30 +0200 In-Reply-To: Tony Bartoletti's message of "Wed, 26 May 1999 10:26:09 -0700" Message-ID: Lines: 24 X-Mailer: Gnus v5.4.59/Emacs 19.34 Sender: owner-spki@c2.net Precedence: bulk Tony Bartoletti writes: > In the (exceptional?) case where two identical public keys are generated > independently, and both happen to attempt access to the same resource, > then the hash of the entire cert is a must for uniqueness. I don't quite get it. I assume that by "generation" you mean generation of a key_pair_? (As generating a public key without the corresponding private key is pretty useless; no system will grant you any access with the public part alone). But to "happen" to independently regenerate somebody elses _private_ key is hard, as its equivalent to successfully breaking the public key, by guessing. And if you somehow manage to generate/guess the other person's key, we have some vastly more serious problems than non-uniqueness of identifiers. And the usual procedure is to consider that possiblity as small enough to be safely neglected. Or am I missing something? Regards, /Niels