Re: rfc3280bis change requested

["David A. Cooper" <david.cooper@xxxxxxxx>]

ietf@xxxxxxxxxxxxxxxxx wrote:
> I believe that in section 4.2 there needs to be a statement added to the
> effect that extensions MUST be encoded using DER and stored in that encoding
> in the extnValue field.
>   

If there is confusion about whether 3280bis requires extensions to be 
DER encoded and it is not too late to make a clarifying change, then it 
would be a good idea to add something to 3280bis that clearly states 
that extensions must be DER encoded.

This is an X.509 requirement.  The ASN.1 for Extension in X.509 is:

   Extension ::= SEQUENCE {
      extnId       EXTENSION.&id ({ExtensionSet}),
      critical       BOOLEAN DEFAULT FALSE,
      extnValue  OCTET STRING
               -- contains a DER encoding of a value of type &ExtnType
               -- for the extension object identified by extnId -- }


I would suggest the following changes to 3280bis:

section 4.1 and appendix A.1 (add a comment to the ASN.1 for Extension):

old:
  Extension  ::=  SEQUENCE  {
       extnID      OBJECT IDENTIFIER,
       critical    BOOLEAN DEFAULT FALSE,
       extnValue   OCTET STRING  }

new:
  Extension  ::=  SEQUENCE  {
       extnID      OBJECT IDENTIFIER,
       critical    BOOLEAN DEFAULT FALSE,
       extnValue   OCTET STRING
           -- contains the DER encoding of an ASN.1 value corresponding
           -- to the extension type identified by extnID -- }


section 4.2 (add the word "DER" to "ASN.1 encoded"):

old:
  Each extension includes an OID and an ASN.1 structure.  When an
  extension appears in a certificate, the OID appears as the field
  extnID and the corresponding ASN.1 encoded structure is the value of
  the octet string extnValue.

new:
  Each extension includes an OID and an ASN.1 structure.  When an
  extension appears in a certificate, the OID appears as the field
  extnID and the corresponding ASN.1 DER encoded structure is the value of
  the octet string extnValue.