Hi folks, In contrast to RFC 5280, X.509 does not require DER encoding. It only requires that the signature is generated across a DER encoded certificate, but the itself certificate may be encoded using BER. Should we add a sentence somewhere in X.509 and possibly in RFC 5280 specifying that when verifying a signature a relying party shall decode and then encode the certificate in DER to verifying the signature? Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik <http://www.x500.eu/> http://www.x500.eu/ <http://www.x500standard.com/> http://www.x500standard.com/ <http://dk.linkedin.com/in/andersenerik> http://dk.linkedin.com/in/andersenerik