[x500standard] SV: [Spam] Re: [pkix] SV: [Spam] Re: DER encoding of certificates
- From: "Erik Andersen" <era@xxxxxxx>
- To: "'David Wilson'" <David.Wilson@xxxxxxxxx>, <x500standard@xxxxxxxxxxxxx>
- Date: Thu, 7 Jul 2011 18:03:47 +0200
I agree and I feel the issue is sufficiently resolved.
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik
-----Oprindelig meddelelse-----
Fra: pkix-bounces@xxxxxxxx [mailto:pkix-bounces@xxxxxxxx] På vegne af David
Wilson
Sendt: 7. juli 2011 11:02
Til: x500standard@xxxxxxxxxxxxx
Cc: PKIX; SG17-Q11
Emne: [Spam] Re: [pkix] [x500standard] SV: [Spam] Re: DER encoding of
certificates
On Thu, 2011-07-07 at 08:44 +0200, Erik Andersen wrote:
> Implementations will then
> always perform signature check over the "blob" (which could be BER
> encoded).
This is already specified in X.509 (end of section 6):
"When checking signatures in received data, [the Directory] shall check
the signature against the actual data received rather than its
conversion of the received data to a distinguished encoding."
So, for generators of signed objects, the octets sent must be the octets
used to generate the signature.
For SIGNATURE rather than SIGNED, the requirement means that the
verifier needs to preserve the received encoding of the object(s) to be
used.
However, signers should use DER, in case a verifier does not follow
this, and does decode+re-encode in DER.
David
_______________________________________________
pkix mailing list
pkix@xxxxxxxx
https://www.ietf.org/mailman/listinfo/pkix
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
