So far, we have no plans within ITU-T to suggest XER encoding of certificates. This would certainly require a lot of considerations. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 e-amail: era@xxxxxxx Skype: andersen-erik http://www.x500.eu/ http://www.x500standard.com/ http://dk.linkedin.com/in/andersenerik -----Oprindelig meddelelse----- Fra: Kyle Hamilton [mailto:kyanha@xxxxxxxxxx] Sendt: 8. juli 2011 02:05 Til: Phillip Hallam-Baker Cc: Erik Andersen; x500standard@xxxxxxxxxxxxx; SG17-Q11; PKIX Emne: [Spam] Re: [pkix] [Spam] Re: [x500standard] DER encoding of certificates On Thu, Jul 7, 2011 at 5:16 AM, Phillip Hallam-Baker <hallam@xxxxxxxxx> wrote: > I chose 4 or 5: > 4) Eliminate the DER encoding requirement completely > 5) Do nothing at all > PKIX is written to serve the needs of Internet applications. Canonical > encoding of certs has no value for those applications. Canonical encoding of certificates greatly reduces (but does not completely eliminate) the capacity for malicious actors to find hash collisions which will also be valid. I suggest that either 5 or 3 is appropriate, 1 is already existing practice, and 4 and 2 are unacceptable. 1 causes me to wonder, "doesn't anyone care about CPU cycles and/or memory requirements?" My order of preference would be (from the options proposed by this OP and Erik Andersen) 5, 3. 5) Do nothing 4) remove DER mandate completely 3) Mandate DER (AFAICT, already the case) 2) Remove DER mandate from 6.1 of X.509 (undesirable for the same reason that 4 is) 1) Mandate decoding/re-encoding (already the case for conversion between different encoding rules) Please, stop overthinking it. As for XER and its inability to produce a canonical encoding given the dual names, I suggest accepting and transmitting either. ITU messed it up, and we now have to live with the consequences. Since there are two possible canonical encodings, it still mitigates the hash-collision possibility issue, albeit with twice the potential collision capacity. (This is, of course, unless everyone WANTS to do away with the Certificate definition, which would leave everyone who supports legacy systems -- that is, most of us -- out in the cold.) -Kyle H ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.