[x500standard] Re: DER encoding of certificates
- From: "Ramsay, Ron" <Ron.Ramsay@xxxxxx>
- To: <x500standard@xxxxxxxxxxxxx>
- Date: Wed, 6 Jul 2011 16:48:12 +1000
Hi Erik,
Maybe I'm trying to turn back time, but common sense would dictate that
the signature should apply to the blob it is attached to, even if that
blob doesn't follow the DER rules. The notion that you have a signature
to a blob which you don't have, and can't obtain, but for which you have
a hint that should enable you to construct that blob, is a bit weird.
Also, isn't DER itself underspecified. That is, aren't there situations
that are still ambiguous, even in the face of DER. I remember hearing
something about it about 10 years ago, but I may be wrong.
Ron
From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: Wednesday, 6 July 2011 4:35 PM
To: Directory list; SG17-Q11; PKIX
Subject: [x500standard] DER encoding of certificates
Hi folks,
In contrast to RFC 5280, X.509 does not require DER encoding. It only
requires that the signature is generated across a DER encoded
certificate, but the itself certificate may be encoded using BER.
Should we add a sentence somewhere in X.509 and possibly in RFC 5280
specifying that when verifying a signature a relying party shall decode
and then encode the certificate in DER to verifying the signature?
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/ <http://www.x500.eu/>
http://www.x500standard.com/ <http://www.x500standard.com/>
http://dk.linkedin.com/in/andersenerik
<http://dk.linkedin.com/in/andersenerik>
Other related posts:
