[x500standard] SV: Re: 5280 certificate vs. X.509 certificate

• From: "Erik Andersen" <era@xxxxxxx>
• To: <x500standard@xxxxxxxxxxxxx>, "SG17-Q11" <t09sg17q11@xxxxxxxxxxxxx>
• Date: Sat, 2 Jul 2011 16:11:19 +0200

Hi Santosh,

 

As per earlier reply, yes, DER requires that defaults are omitted. However,
only RFC 5280 specified DER encoding. X.509 does not. It only requires that
the signature is generated over a DER encoding of certificate. If my
understanding is right, to verify the signature on a certificate, the
certificate has to be decoded and re-encoded using DER.  However, X.509 it
requires DER encoding for extensions, which seems a kind of weird.

 

Erik 

 

 

Fra: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] På vegne af Santosh Chokhani
Sendt: 27. juni 2011 13:39
Til: x500standard@xxxxxxxxxxxxx; SG17-Q11
Emne: [x500standard] Re: 5280 certificate vs. X.509 certificate

 

Doesn?t DER require default to be omitted?

 

From: x500standard-bounce@xxxxxxxxxxxxx
[mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen
Sent: Monday, June 27, 2011 7:23 AM
To: Directory list; SG17-Q11
Subject: [x500standard] 5280 certificate vs. X.509 certificate

 

The RFC 5280 defines a Relative Distinguished Name as:

 

   RelativeDistinguishedName ::=   SET SIZE (1..MAX) OF
AttributeTypeAndValue

 

   AttributeTypeAndValue ::= SEQUENCE {

     type     AttributeType,

     value    AttributeValue }

 

while X.501 defines an RDN as:

 

RelativeDistinguishedName  ::=  SET SIZE (1..MAX) OF
AttributeTypeAndDistinguishedValue

 

AttributeTypeAndDistinguishedValue  ::=  SEQUENCE  {

             type                                          ATTRIBUTE.&id
({SupportedAttributes}),

             value
ATTRIBUTE.&Type({SupportedAttributes}{@type}),

             primaryDistinguished          BOOLEAN DEFAULT TRUE,

             valuesWithContext              SET SIZE (1..MAX) OF SEQUENCE {

                         distingAttrValue                    [0]
ATTRIBUTE.&Type ({SupportedAttributes}{@type}) OPTIONAL,

                         contextList
SET SIZE (1..MAX) OF Context } OPTIONAL }

 

If the RDN is part of a primary distinguished name, the primaryDistinguished
component is TRUE and the valueWithContext shall not be included. If in
addition, the primaryDistnguished component is absent taking the default
value, the encoding of a 5280 certificate and the encoding of an X.509
certificate are identical. However, if the primaryDistingished component is
present and takes the value TRUE, a X.509 certificate will be different from
a 5280 certificate and may not be accepted by all systems. Apparently, some
tool will always add the primaryDistingished component with the value TRUE.

 

We have a compatibility problem. I have previously raised the issue on the
PKIX list, but was misunderstand. When talking about alternative
distinguished names, it was believed that I talked about the alternative
name extension.

 

It has been suggested to remove context in naming, but is a major undertaken
and it requires unanimous acceptance.

 

What should we do? 

 

Erik Andersen

Andersen's L-Service

Elsevej 48,

DK-3500 Vaerloese

Denmark

Mobile: +45 2097 1490

e-amail: era@xxxxxxx

Skype: andersen-erik

http://www.x500.eu/

http://www.x500standard.com/

 <http://dk.linkedin.com/in/andersenerik>
http://dk.linkedin.com/in/andersenerik

 

Other related posts:

• » [x500standard] SV: Re: 5280 certificate vs. X.509 certificate- Erik Andersen
• » [x500standard] Re: SV: Re: 5280 certificate vs. X.509 certificate- Jean-Paul LEMAIRE
• » [x500standard] SV: Re: 5280 certificate vs. X.509 certificate - Erik Andersen

1. Home
2. x500standard
3. Archive
4. 07-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---