[x500standard] Re: DER encoding of certificates

• From: Steven Legg <steven.legg@xxxxxxxxxxxxxxxxxx>
• To: x500standard@xxxxxxxxxxxxx
• Date: Wed, 06 Jul 2011 17:22:02 +1000

Erik,

On 6/07/2011 4:34 PM, Erik Andersen wrote:

Hi folks,

In contrast to RFC 5280, X.509 does not require DER encoding. It only requires 
that the signature is
generated across a DER encoded certificate, but the itself certificate may be 
encoded using BER.

Should we add a sentence somewhere in X.509 and possibly in RFC 5280 specifying 
that when verifying a
signature a relying party shall decode and then encode the certificate in DER 
to verifying the signature?

That would cause more problems than it solves because all too often in
the real world signatures are calculated over the BER encoding that is
transmitted rather than the DER encoding it is supposed to be calculated
over.

Erik Andersen wrote:
> If the RDN is part of a primary distinguished name, the primaryDistinguished
> component is TRUE and the valueWithContext shall not be included. If in 
addition,
> the primaryDistnguished component is absent taking the default value, the 
encoding
> of a 5280 certificate and the encoding of an X.509 certificate are identical.
> However, if the primaryDistingished component is present and takes the value 
TRUE,
> a X.509 certificate will be different from a 5280 certificate and may not be
> accepted by all systems. Apparently, some tool will always add the 
primaryDistingished
> component with the value TRUE.

Is this an observed problem or a theoretical one ? A decoder using the 5280
definition may well treat the AttributeTypeAndValue type as implicitly
extensible, in which case the primaryDistinguished component will be an
unknown extension that is gracefully ignored. The certificate couldn't be
re-encoded in DER, but that's not a wise thing to do anyway for the reason
above.

Regards,
Steven

Erik Andersen

Andersen's L-Service

Elsevej 48,

DK-3500 Vaerloese

Denmark

Mobile: +45 2097 1490

e-amail: era@xxxxxxx

Skype: andersen-erik

http://www.x500.eu/

http://www.x500standard.com/

http://dk.linkedin.com/in/andersenerik

-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

• Follow-Ups:
  • [x500standard] SV: [Spam] Re: DER encoding of certificates
    • From: Erik Andersen

• References:
  • [x500standard] DER encoding of certificates
    • From: Erik Andersen

Other related posts:

• » [x500standard] DER encoding of certificates- Erik Andersen
• » [x500standard] Re: DER encoding of certificates- Ramsay, Ron
• » [x500standard] Re: DER encoding of certificates- Jean-Paul LEMAIRE
• » [x500standard] Re: DER encoding of certificates - Steven Legg
• » [x500standard] Re: DER encoding of certificates- David Wilson

1. Home
2. x500standard
3. Archive
4. 07-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---