[x500standard] Re: SV: [Spam] Re: DER encoding of certificates

• From: David Wilson <David.Wilson@xxxxxxxxx>
• To: x500standard@xxxxxxxxxxxxx
• Date: Thu, 07 Jul 2011 10:01:30 +0100

On Thu, 2011-07-07 at 08:44 +0200, Erik Andersen wrote:
> Implementations will then
> always perform signature check over the "blob" (which could be BER
> encoded). 

This is already specified in X.509 (end of section 6):

"When checking signatures in received data, [the Directory] shall check
the signature against the actual data received rather than its
conversion of the received data to a distinguished encoding."

So, for generators of signed objects, the octets sent must be the octets
used to generate the signature.

For SIGNATURE rather than SIGNED, the requirement means that the
verifier needs to preserve the received encoding of the object(s) to be
used.

However, signers should use DER, in case a verifier does not follow
this, and does decode+re-encode in DER.

David

-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

• Follow-Ups:
  • [x500standard] SV: [Spam] Re: [pkix] SV: [Spam] Re: DER encoding of certificates
    • From: Erik Andersen

• References:
  • [x500standard] DER encoding of certificates
    • From: Erik Andersen
  • [x500standard] Re: DER encoding of certificates
    • From: Steven Legg
  • [x500standard] SV: [Spam] Re: DER encoding of certificates
    • From: Erik Andersen

Other related posts:

• » [x500standard] SV: [Spam] Re: DER encoding of certificates- Erik Andersen
• » [x500standard] SV: [Spam] Re: DER encoding of certificates- Erik Andersen
• » [x500standard] Re: SV: [Spam] Re: DER encoding of certificates - David Wilson
• » [x500standard] Re: SV: [Spam] Re: DER encoding of certificates- Santosh Chokhani

1. Home
2. x500standard
3. Archive
4. 07-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---