[x500standard] Re: Another lack of clarity in X.509
- From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
- To: x500standard@xxxxxxxxxxxxx
- Date: Wed, 25 Jun 2008 17:09:04 +0100
Hi Erik
the signature can actually be based on any encoding, since it generated
from a hash of the encoded byte string. There is no requirement to
decode and re-encode to check a signature. You simply need to hash the
received byte string and decrypt the signature bits and compare the two
hashes.
The confusion over DER came when it was wrongly assumed, due to the 7
layer model, that the presentation layer would decode the byte string
and the application layer would never have access to the byte string.
But this is wrong in all practical implementations. The standard should
have been changed to remove any mention of DER, but because all
implementations use DER it was considered too destabilising to remove
this. But the looser wording probably reflects the fact that DER is not
essential now
regards
David
Erik Andersen wrote:
Hi,
I am now in 6.1 of X.509:2005.
It is my understanding that in a distributed environment (and directory
is potentially distributed), the signature is generated based on the DER
encoding of the abstract syntax, but the data actually transmitted need
not be the strictly DER encoded. If this understanding is not true, then
X.509 is not clear about it.
Assuming it is true, the recipient cannot know whether a received
message is DER encoded or not, but needs to decode the message and
re-encode in DER to check the signature.
The last paragraph of 6.1 with the three bullets gives me problems. An
implementation cannot easily decode a message if the underlying abstract
syntax is not fully known (e.g. it difficult to distinguish between set
and set-of). The three last bullets pretend to be the solution to that
problem.
A DUA sends a message to DSA-A and DSA-A chains the message to DSA-B. It
must be assumed that the DUA will fully understand the abstract syntax
of the sent message, but assuming that DSA-A does not fully know the
underlying abstract syntax, the following rules should then be used:
- DSA-A preserves the encoding of the received message, and it
is supposed to add it own signature.
- DSA-A after having added all its chaining stuff, DER encode
the part of the abstract syntax it fully know and keep all unknown data
with preserved encoding (which may not be DER encoded). It then
generates the signature.
- DSA-B should now just check the signature based on the
received encoding.
How does DSA-B know that DSA-A is a stupid DSA not knowing the fully
abstract syntax? DSA-B may fully understand the abstract syntax and may
therefore decode the whole thing and re-encode in DER to check the
signature. The DSA-A signature may the fail.
If it is opposite, the DSA-A is a clever DSA and DSA-B is a stupid DSA,
then DSA-B cannot fully decode the message and create its own DER
encoding to check DSA-A’s signature.
Erik Andersen
Andersen's L-Service
Mobile: +45 20 97 14 90
e-mail: era@xxxxxxx <mailto:era@xxxxxxx>
http://www.x500.eu <http://www.x500.eu/>
http://www.x500standard.com/
--
*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@xxxxxxxxxx
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5
*****************************************************************
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
