I think we may have a different opinion of what could be maintenance. Feel free to explain. Anyway, You can do exactly what AUTOMATIC does with concrete tags. The message was not necessarily to promote AUTOMATIC, but a questionwhy there is a different tagging regime involved which is not totally respected
because OCTET STRINGS are IMPLICIT tagged when the contain other syntaxes. Russ Housley wrote:
I find AUTOMATIC TAGS to be more difficult later down the line when one is doing maintenance. In my opinion, it hides too much.Russ At 09:10 AM 11/3/2005, Olivier Dubuisson wrote:Tom Gindin wrote:If it isn't too late to fix this without breaking lots of implementations, the ASN.1 in this specification is over-tagged. In section 3.2.1, all three of the tags in PA-PK-AS-REQ are unnecessary, and the one on signedAuthPack is actually slightly harmful. None of the tags in PKAuthenticator do any good either. The OCTET STRING wrappings for subjectName and issuerAndSerialNumber are not really appropriate, and subjectName doesn't need a tag. Even in AuthPack, pkAuthenticator and clientDHNonce don't need tags. Similarly, in 3.2.3, there is no reason for any of the tags in PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags in ReplyKeyPack in 3.2.3.2 also seem unnecessary.The easiest thing would be to put "AUTOMATIC TAGS" in the module header (instead of "EXPLICIT TAGS") and not bother with tags, for "AUTOMATIC TAGS" would tag where necessary. But I understand from another response that the Kerberos team doesn't want to deviate from their historical choice...-- Olivier DUBUISSON France Telecom Recherche & Developpement R&D/MAPS/AMS - 22307 Lannion Cedex - France t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature