[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rfc3280bis change requested

To: Jim Schaad <ietf@xxxxxxxxxxxxxxxxx>
Subject: Re: rfc3280bis change requested
From: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Date: Fri, 25 Jan 2008 13:10:39 +0100
Cc: "'David A. Cooper'" <david.cooper@xxxxxxxx>, ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <47989A51.5040007@xxxxxxxx> <4798BDD9.6040402@xxxxxxxxxx> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.9 (X11/20061206)

Jim Schaad wrote:

Peter,

A couple of more comments.

1.  The XER encoding would most likely be placed in a Base64 encoding
because of the OCTET STRING wrapper, so I don't know that there is any real
advantange not be DER.

My small sentence was grammatically false and also incomplete.

I think the real requirement is
- One must be able to create the DER encoding of the certficate.
- X509 specifies that extensions' content need to be DER encoded
 but I think what is meant is the same as in the previous point.

As you said in another mail. Without knowing the ASN.1 it
is impossible to create a DER encoding from any other encoding
both for the tbsCertficate and extension content. Since extension
are open types and a creator certainly does not know whether
a verifier knows an extension.

I think somewhere in the defining of SIGNED in X.5/6xx it is
said that one should use DER to transport such things.

What about:

 Each extension includes an OID and an ASN.1 structure.  When an
 extension appears in a certificate, the OID appears as the field
 extnID and the corresponding ASN.1 encoded structure is the value of
 the octet string extnValue.
 In order to be sure that a user of a certificate can correctly perform
 signature verification, an encoder MUST use a DER encoding of the
 extension content.

As a result of a the ping pong game of asn1 people defining
octetstring wrappers (CONTAINING constraints) allowing good
parsers to go into the contents, which is what the other camp
tried to avoid by not simply using ANY DEFINED BY, today
one would probably define

     extnValue  EXTENSION.&ExtnType({ExtensionSet}{@extnId}))


which, to keep compatibility would say:


   Extension ::= SEQUENCE {
      extnId       EXTENSION.&id ({ExtensionSet}),
      critical       BOOLEAN DEFAULT FALSE,
      extnValue  OCTET STRING CONTAINING
                 EXTENSION.&ExtnType({ExtensionSet}{@extnId}))

--

To verify the signature, see http://edelpki.edelweb.fr/Cela vous permet de charger le certificat de l'autorité;die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- rfc3280bis change requested
  - From: ietf
- Re: rfc3280bis change requested
  - From: David A. Cooper
- Re: rfc3280bis change requested
  - From: Peter Sylvester
- RE: rfc3280bis change requested
  - From: Jim Schaad

Prev by Date: RE: rfc3280bis change requested
Previous by thread: RE: rfc3280bis change requested
Next by thread: Re: rfc3280bis change requested
Index(es):
- Date
- Thread