[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rfc3280bis change requested

To: <ietf-pkix@xxxxxxx>
Subject: rfc3280bis change requested
From: <ietf@xxxxxxxxxxxxxxxxx>
Date: Wed, 23 Jan 2008 21:17:43 -0800
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AchccYU9/lqz1ev9TfeXAaZVIV2Wnw==

I believe that in section 4.2 there needs to be a statement added to the
effect that extensions MUST be encoded using DER and stored in that encoding
in the extnValue field.

The following scenario demonstrates why I believe this statement needs to be
added.

1.  Assume Alice is a CA and places a private extension in every certificate
that is issued.

2.  Alice creates the certificate using DER encoding throughout, hashes and
signs.

3.  Alice then re-encodes the entire certificate using BER indefinite
encoding (for unknown reasons) and passes the certificate to Bob

4.  Bob attempts to change the encoding of the certificate from BER
indefinite to DER and cannot always do so for the private extension unless
he also knows the syntax associated with it.  Bob will not be able to a)
remove all default values and b) recognize all SET types and sort them.


Example

PrivateExtension ::= SEQUENCE {
       bool   BOOLEAN DEFAULT FALSE,
       iSet   [0] IMPLICIT SET OF INTEGER
}

Jim

Follow-Ups:
- Re: rfc3280bis change requested
  - From: Russ Housley
- Re: rfc3280bis change requested
  - From: David A. Cooper

Prev by Date: Re: Certificate suspension
Next by Date: MauraSignificantPenis
Previous by thread: Certificate suspension
Next by thread: Re: rfc3280bis change requested
Index(es):
- Date
- Thread