On Thu, 2011-07-07 at 08:44 +0200, Erik Andersen wrote: > Implementations will then > always perform signature check over the "blob" (which could be BER > encoded). This is already specified in X.509 (end of section 6): "When checking signatures in received data, [the Directory] shall check the signature against the actual data received rather than its conversion of the received data to a distinguished encoding." So, for generators of signed objects, the octets sent must be the octets used to generate the signature. For SIGNATURE rather than SIGNED, the requirement means that the verifier needs to preserve the received encoding of the object(s) to be used. However, signers should use DER, in case a verifier does not follow this, and does decode+re-encode in DER. David ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.