X.509 should probably say
Extension ::= SEQUENCE {
extnId EXTENSION.&id ({ExtensionSet}),
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING CONTAINING
EXTENSION.&ExtnType({ExtensionSet}{@extnId}))
which would mean that when the signature is created DER encoding is used, but if one uses a XER encoding of the certficate, one would not see the raw DER octets but the XER encoding of the content. I am still not sure whether the above is correct ASN.1, at least some gurus say so. IMO the text below should say: Each extension includes an OID and an ASN.1 structure. When an extension appears in a DER encoding of the certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue. in particuler, DER encoing is used for the calculation of the certficate. regards David A. Cooper wrote:
ietf@xxxxxxxxxxxxxxxxx wrote:I believe that in section 4.2 there needs to be a statement added to theeffect that extensions MUST be encoded using DER and stored in that encodingin the extnValue field.If there is confusion about whether 3280bis requires extensions to be DER encoded and it is not too late to make a clarifying change, then it would be a good idea to add something to 3280bis that clearly states that extensions must be DER encoded.This is an X.509 requirement. The ASN.1 for Extension in X.509 is: Extension ::= SEQUENCE { extnId EXTENSION.&id ({ExtensionSet}), critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING -- contains a DER encoding of a value of type &ExtnType -- for the extension object identified by extnId -- } I would suggest the following changes to 3280bis: section 4.1 and appendix A.1 (add a comment to the ASN.1 for Extension): old: Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING } new: Extension ::= SEQUENCE { extnID OBJECT IDENTIFIER, critical BOOLEAN DEFAULT FALSE, extnValue OCTET STRING -- contains the DER encoding of an ASN.1 value corresponding -- to the extension type identified by extnID -- } section 4.2 (add the word "DER" to "ASN.1 encoded"): old: Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 encoded structure is the value of the octet string extnValue. new: Each extension includes an OID and an ASN.1 structure. When an extension appears in a certificate, the OID appears as the fieldextnID and the corresponding ASN.1 DER encoded structure is the value ofthe octet string extnValue.
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature