Re: [Fed-Talk] Please file a bug report
Re: [Fed-Talk] Please file a bug report
- Subject: Re: [Fed-Talk] Please file a bug report
- From: "Miller, Timothy J." <email@hidden>
- Date: Thu, 17 Apr 2014 16:08:18 +0000
- Thread-topic: [Fed-Talk] Please file a bug report
Note that ID'ing a cert by hash is inherently ambiguous. The cert itself can contain a hash identifier, but it's only a hash of the publicKeyInfos structure and stored in the SubjectKeyIdentifier extension. Or you can hash the TBSCertificate structure, which is used in calculating the signature. Or you can hash the whole certificate (MS calls this the cert fingerprint). Note that SubjectKeyIdentifier and cert fingerprint only have algorithm informally identified by convention, just to make life interesting.
Which hash is being asked for here? :)
-- T
>-----Original Message-----
>From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
>bounces+tmiller=email@hidden] On Behalf Of John Oliver
>Sent: Thursday, April 17, 2014 10:57 AM
>To: Apple Fed-Talk
>Subject: Re: [Fed-Talk] Please file a bug report
>
>I'm not clear on why you think this isn't a bug. There are, AFAIK, two
>ways to specify which certificate you're dealing withÅ 1) the common name,
>which can be full of strange characters; and 2) the hash. Why would it be
>appropriate to ONLY be able to specify a certificate with the problematic
>common name, but it would be ridiculous to want to clearly specify which
>certificate via the standard hash?
>
>I could be missing something here, but even Shawn Geddis indicated this
>was probably a bug a year or so ago. I cannot think of a single rational
>reason why you should not be able to "security delete-certificate -Z
><hash>"
>
>
>
>
>On 4/17/14 8:50 AM, "Fiumara, Gregory" <email@hidden> wrote:
>
>>On 4/17/14, 11:25 AM, "John Oliver" <email@hidden> wrote:
>>
>>>That wouldn't help when I want to delete a certificate with the hash.
>>
>>With `security delete-certificate`, -Z takes a hash argument.
>>With `security find-certificate`, -Z prints the hash and does not take an
>>argument.
>>
>>I think you have all the tools you need. Regardless, -Z ignoring your hash
>>argument with find-certificate is not a bug. Maybe you want to submit a
>>feature request to add a switch to find-certificate that accepts a hash
>>argument.
>>
>>-Greg
>>
>>--
>>Greg Fiumara
>>
>>
>>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden