Closed Javex closed 9 years ago
The draft says:
For a non-enrollment message (for example GetCert and GetCRL), the transactionID SHOULD be a >number unique to the client.
That can be interpreted in different ways: What is the solution of other implementations?
Edit: How about the serial number of the requestors signing-certificate?
This might not be enough. What if multiple GetCert requests are signed with the same certificate? I think we need different functions depending on parameters unique to this operation. I'll take a look at this soon.
The standard does not specify an enforced way on how the transaction ID should be calculated, just that it is reproducible. For our case, we currently always hash the public key of the CSR. However, in some cases, e.g. GetCRL, the request may not be present any more (it can be deleted once a certificate has been obtained). In that case the certificate could be used for the transaction ID.
Then we have the case of GetCert: Here we have no certificate. How do we generate the transaction ID here? We need to look at possible different ways on how to generate one in a stable way.