[x500standard] Re: [pkix] DER encoding of certificates

• From: Santosh Chokhani <SChokhani@xxxxxxxxxxxx>
• To: "Richard L. Barnes" <rbarnes@xxxxxxx>
• Date: Wed, 6 Jul 2011 11:40:48 -0400

(BTW, messages to one mail list seem to get rejected).

I do not see an issue.  The signer signs something.  You verify it.  You keep 
and transmit the blob and signature.  You or anyone can decode the blob and as 
long as decoding is definitive (which to my knowledge is), no problems or 
ambiguities should be encountered.

-----Original Message-----
From: Richard L. Barnes [mailto:rbarnes@xxxxxxx] 
Sent: Wednesday, July 06, 2011 11:37 AM
To: Santosh Chokhani
Cc: mrex@xxxxxxx; Carl Wallace; x500standard@xxxxxxxxxxxxx; 
t09sg17q11@xxxxxxxxxxxxx; pkix@xxxxxxxx
Subject: Re: [pkix] DER encoding of certificates

Don't you then run into the question of whether the DER blob is the same as the 
non-DER bits?

--Richard


On Jul 6, 2011, at 9:56 AM, Santosh Chokhani wrote:

> Do not need to re-encode.  Always keep the blob around.
> 
> -----Original Message-----
> From: pkix-bounces@xxxxxxxx [mailto:pkix-bounces@xxxxxxxx] On Behalf Of 
> Martin Rex
> Sent: Wednesday, July 06, 2011 9:40 AM
> To: Carl Wallace
> Cc: x500standard@xxxxxxxxxxxxx; t09sg17q11@xxxxxxxxxxxxx; pkix@xxxxxxxx
> Subject: Re: [pkix] DER encoding of certificates
> 
> Carl Wallace wrote:
>> 
>> No.  For one reason, verifiers may not know how to DER encode some
>> extensions.  It'd be better to require DER or require verification to use
>> toBeSigned bytes as they appear (be they BER or DER).
> 
> Expecting verifiers to parse and re-encode certs before being able
> to verify a digital certificate seems like a very bad idea with
> respect to performance, reliability and complexity.
> 
> 
> The other problem is that there are too many defective ASN.1 encoders
> out there, some of them actively used by certificate issuers.
> GlobalSign has been distributing a RootCA cert in browsers that
> was using incorrect ASN.1 DER -- and that caused verification
> failures on some occasions.  IIRC, the bug was in the ASN.1
> encoding of the KeyUsage BIT STRING, which is a NamedBitList
> (and according to X.690 11.2 + X.680 21.7 tailing 0 bits must
> be removed in ASN.1 DER from a NamedBitList during encoding.)
> 
> 
> -Martin
> _______________________________________________
> pkix mailing list
> pkix@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/pkix
> _______________________________________________
> pkix mailing list
> pkix@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/pkix

-----
www.x500standard.com: The central source for information on the X.500 Directory 
Standard.

• References:
  • [x500standard] Re: [pkix] DER encoding of certificates
    • From: Carl Wallace
  • [x500standard] Re: [pkix] DER encoding of certificates
    • From: Santosh Chokhani

Other related posts:

• » [x500standard] Re: [pkix] DER encoding of certificates- Peter Rybar
• » [x500standard] Re: [pkix] DER encoding of certificates- Carl Wallace
• » [x500standard] Re: [pkix] DER encoding of certificates- Santosh Chokhani
• » [x500standard] Re: [pkix] DER encoding of certificates - Santosh Chokhani

1. Home
2. x500standard
3. Archive
4. 07-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---