[x500standard] SV: [Spam] Re: [pkix] [Spam] Re: DER encoding of certificates
- From: "Erik Andersen" <era@xxxxxxx>
- To: "'Kyle Hamilton'" <kyanha@xxxxxxxxxx>, "'Phillip Hallam-Baker'" <hallam@xxxxxxxxx>
- Date: Fri, 8 Jul 2011 10:32:34 +0200
So far, we have no plans within ITU-T to suggest XER encoding of
certificates. This would certainly require a lot of considerations.
Erik Andersen
Andersen's L-Service
Elsevej 48,
DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
e-amail: era@xxxxxxx
Skype: andersen-erik
http://www.x500.eu/
http://www.x500standard.com/
http://dk.linkedin.com/in/andersenerik
-----Oprindelig meddelelse-----
Fra: Kyle Hamilton [mailto:kyanha@xxxxxxxxxx]
Sendt: 8. juli 2011 02:05
Til: Phillip Hallam-Baker
Cc: Erik Andersen; x500standard@xxxxxxxxxxxxx; SG17-Q11; PKIX
Emne: [Spam] Re: [pkix] [Spam] Re: [x500standard] DER encoding of
certificates
On Thu, Jul 7, 2011 at 5:16 AM, Phillip Hallam-Baker <hallam@xxxxxxxxx>
wrote:
> I chose 4 or 5:
> 4) Eliminate the DER encoding requirement completely
> 5) Do nothing at all
> PKIX is written to serve the needs of Internet applications. Canonical
> encoding of certs has no value for those applications.
Canonical encoding of certificates greatly reduces (but does not completely
eliminate) the capacity for malicious actors to find hash collisions which
will also be valid.
I suggest that either 5 or 3 is appropriate, 1 is already existing practice,
and 4 and 2 are unacceptable. 1 causes me to wonder, "doesn't anyone care
about CPU cycles and/or memory requirements?" My order of preference would
be (from the options proposed by this OP and Erik Andersen) 5, 3.
5) Do nothing
4) remove DER mandate completely
3) Mandate DER (AFAICT, already the case)
2) Remove DER mandate from 6.1 of X.509 (undesirable for the same reason
that 4 is)
1) Mandate decoding/re-encoding (already the case for conversion between
different encoding rules)
Please, stop overthinking it.
As for XER and its inability to produce a canonical encoding given the dual
names, I suggest accepting and transmitting either. ITU messed it up, and
we now have to live with the consequences. Since there are two possible
canonical encodings, it still mitigates the hash-collision possibility
issue, albeit with twice the potential collision capacity.
(This is, of course, unless everyone WANTS to do away with the Certificate
definition, which would leave everyone who supports legacy systems -- that
is, most of us -- out in the cold.)
-Kyle H
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
Other related posts:
- » [x500standard] SV: [Spam] Re: [pkix] [Spam] Re: DER encoding of certificates - Erik Andersen
