I agree and I feel the issue is sufficiently resolved. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ http://dk.linkedin.com/in/andersenerik -----Oprindelig meddelelse----- Fra: pkix-bounces@xxxxxxxx [mailto:pkix-bounces@xxxxxxxx] På vegne af David Wilson Sendt: 7. juli 2011 11:02 Til: x500standard@xxxxxxxxxxxxx Cc: PKIX; SG17-Q11 Emne: [Spam] Re: [pkix] [x500standard] SV: [Spam] Re: DER encoding of certificates On Thu, 2011-07-07 at 08:44 +0200, Erik Andersen wrote: > Implementations will then > always perform signature check over the "blob" (which could be BER > encoded). This is already specified in X.509 (end of section 6): "When checking signatures in received data, [the Directory] shall check the signature against the actual data received rather than its conversion of the received data to a distinguished encoding." So, for generators of signed objects, the octets sent must be the octets used to generate the signature. For SIGNATURE rather than SIGNED, the requirement means that the verifier needs to preserve the received encoding of the object(s) to be used. However, signers should use DER, in case a verifier does not follow this, and does decode+re-encode in DER. David _______________________________________________ pkix mailing list pkix@xxxxxxxx https://www.ietf.org/mailman/listinfo/pkix ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.