Hi Santosh, As per earlier reply, yes, DER requires that defaults are omitted. However, only RFC 5280 specified DER encoding. X.509 does not. It only requires that the signature is generated over a DER encoding of certificate. If my understanding is right, to verify the signature on a certificate, the certificate has to be decoded and re-encoded using DER. However, X.509 it requires DER encoding for extensions, which seems a kind of weird. Erik Fra: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] På vegne af Santosh Chokhani Sendt: 27. juni 2011 13:39 Til: x500standard@xxxxxxxxxxxxx; SG17-Q11 Emne: [x500standard] Re: 5280 certificate vs. X.509 certificate Doesn?t DER require default to be omitted? From: x500standard-bounce@xxxxxxxxxxxxx [mailto:x500standard-bounce@xxxxxxxxxxxxx] On Behalf Of Erik Andersen Sent: Monday, June 27, 2011 7:23 AM To: Directory list; SG17-Q11 Subject: [x500standard] 5280 certificate vs. X.509 certificate The RFC 5280 defines a Relative Distinguished Name as: RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue } while X.501 defines an RDN as: RelativeDistinguishedName ::= SET SIZE (1..MAX) OF AttributeTypeAndDistinguishedValue AttributeTypeAndDistinguishedValue ::= SEQUENCE { type ATTRIBUTE.&id ({SupportedAttributes}), value ATTRIBUTE.&Type({SupportedAttributes}{@type}), primaryDistinguished BOOLEAN DEFAULT TRUE, valuesWithContext SET SIZE (1..MAX) OF SEQUENCE { distingAttrValue [0] ATTRIBUTE.&Type ({SupportedAttributes}{@type}) OPTIONAL, contextList SET SIZE (1..MAX) OF Context } OPTIONAL } If the RDN is part of a primary distinguished name, the primaryDistinguished component is TRUE and the valueWithContext shall not be included. If in addition, the primaryDistnguished component is absent taking the default value, the encoding of a 5280 certificate and the encoding of an X.509 certificate are identical. However, if the primaryDistingished component is present and takes the value TRUE, a X.509 certificate will be different from a 5280 certificate and may not be accepted by all systems. Apparently, some tool will always add the primaryDistingished component with the value TRUE. We have a compatibility problem. I have previously raised the issue on the PKIX list, but was misunderstand. When talking about alternative distinguished names, it was believed that I talked about the alternative name extension. It has been suggested to remove context in naming, but is a major undertaken and it requires unanimous acceptance. What should we do? Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ <http://dk.linkedin.com/in/andersenerik> http://dk.linkedin.com/in/andersenerik