Erik, detail information is in ITU-T X.509 http://www.itu.int/rec/T-REC-X.509-200508-I RFC 5280 is only a profile for Internet on-line services like TSL/SSL, ... ITU-T Rec. X.509 (08/2005) 6.1 Digital signatures The value of the bit string is generated by taking the octets which form the complete encoding (using the ASN.1 Basic Encoding Rules – ITU-T Rec. X.690 (2002) | ISO/IEC 8825-1:2002) of the value of the ToBeEnciphered type and applying an encipherment procedure to those octets. New certificates for any test or use you can generate in "Utility" tab, "New Key" button. http://lockitin.webnode.sk/products/produkt-1/ Peter Rybar National Security Authority Information Security and Electronic Signature Department Budatinska 30, 850 07 Bratislava 57, Slovak Republic tel.: +421 2 6869 2163 mob.: +421 902 891 155 fax: +421 2 6869 1701 e-mail: peter.rybar@xxxxxxxx e-mail: peterryb@xxxxxxxxx 2011/7/6 Erik Andersen <era@xxxxxxx> > Hi folks, > > > > In contrast to RFC 5280, X.509 does not require DER encoding. It only > requires that the signature is generated across a DER encoded certificate, > but the itself certificate may be encoded using BER. > > > > Should we add a sentence somewhere in X.509 and possibly in RFC 5280 > specifying that when verifying a signature a relying party shall decode and > then encode the certificate in DER to verifying the signature? > > > > Erik Andersen > > Andersen's L-Service > > Elsevej 48, > > DK-3500 Vaerloese > > Denmark > > Mobile: +45 2097 1490 > > e-amail: era@xxxxxxx > > Skype: andersen-erik > > http://www.x500.eu/ > > http://www.x500standard.com/ > > http://dk.linkedin.com/in/andersenerik > > > > _______________________________________________ > pkix mailing list > pkix@xxxxxxxx > https://www.ietf.org/mailman/listinfo/pkix > >