[x500standard] Re: [pkix] DER encoding of certificates
- From: Carl Wallace <carl@xxxxxxxxxxxxxxxxxxxx>
- To: Erik Andersen <era@xxxxxxx>, Directory list <x500standard@xxxxxxxxxxxxx>, SG17-Q11 <t09sg17q11@xxxxxxxxxxxxx>, PKIX <pkix@xxxxxxxx>
- Date: Wed, 06 Jul 2011 08:01:14 -0400
No. For one reason, verifiers may not know how to DER encode some
extensions. It'd be better to require DER or require verification to use
toBeSigned bytes as they appear (be they BER or DER).
From: Erik Andersen <era@xxxxxxx>
Date: Wed, 6 Jul 2011 08:34:39 +0200
To: Directory list <x500standard@xxxxxxxxxxxxx>, SG17-Q11
<t09sg17q11@xxxxxxxxxxxxx>, PKIX <pkix@xxxxxxxx>
Subject: [pkix] DER encoding of certificates
> Hi folks,
>
> In contrast to RFC 5280, X.509 does not require DER encoding. It only
> requires that the signature is generated across a DER encoded certificate, but
> the itself certificate may be encoded using BER.
>
> Should we add a sentence somewhere in X.509 and possibly in RFC 5280
> specifying that when verifying a signature a relying party shall decode and
> then encode the certificate in DER to verifying the signature?
>
> Erik Andersen
> Andersen's L-Service
> Elsevej 48,
> DK-3500 Vaerloese
> Denmark
> Mobile: +45 2097 1490
> e-amail: era@xxxxxxx <era@xxxxxxx>
> Skype: andersen-erik
> http://www.x500.eu/ <http://www.x500.eu/>
> http://www.x500standard.com/ <http://www.x500standard.com/>
> http://dk.linkedin.com/in/andersenerik
> <http://dk.linkedin.com/in/andersenerik>
>
> _______________________________________________ pkix mailing list
> pkix@xxxxxxxx https://www.ietf.org/mailman/listinfo/pkix
Other related posts:
