[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: rfc3280bis change requested
Peter,
What happens if it appears in a BER encoding of a certificate? This is the
problem that I pointed out.
I am not overly worried about supporting of XER encoded certificates as this
is not part of the PKIX standard.
Jim
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-
> pkix@xxxxxxxxxxxx] On Behalf Of Peter Sylvester
> Sent: Thursday, January 24, 2008 8:33 AM
> To: David A. Cooper
> Cc: ietf@xxxxxxxxxxxxxxxxx; Sam Hartman; ietf-pkix@xxxxxxx
> Subject: Re: rfc3280bis change requested
>
> X.509 should probably say
>
> Extension ::= SEQUENCE {
> extnId EXTENSION.&id ({ExtensionSet}),
> critical BOOLEAN DEFAULT FALSE,
> extnValue OCTET STRING CONTAINING
> EXTENSION.&ExtnType({ExtensionSet}{@extnId}))
>
>
> which would mean that when the signature is created DER encoding
> is used, but if one uses a XER encoding of the certficate, one would
> not see the raw DER octets but the XER encoding of the content.
>
> I am still not sure whether the above is correct ASN.1, at least some
> gurus say so.
>
> IMO the text below should say:
>
> Each extension includes an OID and an ASN.1 structure. When an
> extension appears in a DER encoding of the certificate,
> the OID appears as the field extnID and the corresponding
> ASN.1 DER encoded structure is the value of the octet string
> extnValue.
> in particuler, DER encoing is used for the calculation of the
> certficate.
>
> regards
>
>
> David A. Cooper wrote:
> >
> > ietf@xxxxxxxxxxxxxxxxx wrote:
> >> I believe that in section 4.2 there needs to be a statement added to
> the
> >> effect that extensions MUST be encoded using DER and stored in that
> >> encoding
> >> in the extnValue field.
> >>
> >
> > If there is confusion about whether 3280bis requires extensions to be
> > DER encoded and it is not too late to make a clarifying change, then
> > it would be a good idea to add something to 3280bis that clearly
> > states that extensions must be DER encoded.
> >
> > This is an X.509 requirement. The ASN.1 for Extension in X.509 is:
> >
> > Extension ::= SEQUENCE {
> > extnId EXTENSION.&id ({ExtensionSet}),
> > critical BOOLEAN DEFAULT FALSE,
> > extnValue OCTET STRING
> > -- contains a DER encoding of a value of type
> &ExtnType
> > -- for the extension object identified by extnId -- }
> >
> >
> > I would suggest the following changes to 3280bis:
> >
> > section 4.1 and appendix A.1 (add a comment to the ASN.1 for
> Extension):
> >
> > old:
> > Extension ::= SEQUENCE {
> > extnID OBJECT IDENTIFIER,
> > critical BOOLEAN DEFAULT FALSE,
> > extnValue OCTET STRING }
> >
> > new:
> > Extension ::= SEQUENCE {
> > extnID OBJECT IDENTIFIER,
> > critical BOOLEAN DEFAULT FALSE,
> > extnValue OCTET STRING
> > -- contains the DER encoding of an ASN.1 value
> corresponding
> > -- to the extension type identified by extnID -- }
> >
> >
> > section 4.2 (add the word "DER" to "ASN.1 encoded"):
> >
> > old:
> > Each extension includes an OID and an ASN.1 structure. When an
> > extension appears in a certificate, the OID appears as the field
> > extnID and the corresponding ASN.1 encoded structure is the value
> of
> > the octet string extnValue.
> >
> > new:
> > Each extension includes an OID and an ASN.1 structure. When an
> > extension appears in a certificate, the OID appears as the field
> > extnID and the corresponding ASN.1 DER encoded structure is the
> > value of
> > the octet string extnValue.
> >
> >
> >
>
>
> --
> To verify the signature, see http://edelpki.edelweb.fr/
> Cela vous permet de charger le certificat de l'autorité;
> die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
>