0

I need to validate a few SSL certificates(X509Certificate2) in my app and I was wondering if a decent approach could be by only comparing the X509Certificate2.Thumbprint and X509Certificate2.SerialNumber of the certificate since both should be unique (aside from possible collision of the hash algorithm).

What are the attacking vectors with this approach? I know that a proper validation includes several steps (chain validation, CRL, etc) but if I only have to validate a specific amount of certificates and not "all possible" certificates, this approach looks quite good (comparing to the work I have to put it)

Neil
  • 641
  • 1
  • 7
  • 21
zlZimon
  • 2,334
  • 4
  • 21
  • 51
  • 1
    Maybe this is a question for http://security.stackexchange.com? – Uwe Keim Jul 26 '16 at 09:49
  • 1
    The serial number is not unique and can be set by a possible attacker – MrTux Jul 26 '16 at 09:49
  • With that approach, you can't revoke a certificate if needed. – Tom Jul 26 '16 at 10:57
  • ok but a possible attacker cannot the the thumbprint right? And I can revoke a certificate from the client side by updating the app and from a server side I just could change the certificate right? – zlZimon Jul 26 '16 at 14:13

0 Answers0