[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: encoding an X.509 certificate

To: "Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>
Subject: Re: encoding an X.509 certificate
From: "Tom Scavo" <trscavo@xxxxxxxxx>
Date: Thu, 6 Nov 2008 14:13:58 -0500
Cc: pkix <ietf-pkix@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=OJ+qUPKq77VnQAQwODbEs9vkJjWHO3d5dKOu6QSmYlY=; b=sHau7O0ohbV4IALxGZcDYD7Yjux5KQyM8lQyqbZCcdzptVjnVED6mVLcdCZZ9Yi9Xx lyld5r19ZmsNvfdNV4drU2zg5Oy0fGmceGJW5qkNsT5miA5BBGIQ7OJmYXMaV8FVRkFP 8AsqXo7viEFOE+idPjTv1+O6eNgfkWoUtrfu4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=ub2ABUFGXCA/GD8da4b2twuqXwgqJXpBJu1siS0t1v6zFbcKgpxLmc/6V3IAd9xnyX vLwHsW9lMXjafCKAKVK1FgF3fwCimuwhcxDZRbnH7Fmic3LegwZN7duc/MAuMJoC5H5z LFtk4gvxXA3Yo90zjcxiSEc5ymPWAhBirioM0=
In-reply-to: <FAD1CF17F2A45B43ADE04E140BA83D4884A33E@xxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <ea2af9bd0811050548v545182cew3827a95b007dc466@xxxxxxxxxxxxxx> <ea2af9bd0811060949t2462d9fdk93758a3e093502a1@xxxxxxxxxxxxxx> <FAD1CF17F2A45B43ADE04E140BA83D4884A33E@xxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

On Thu, Nov 6, 2008 at 1:52 PM, Santosh Chokhani <SChokhani@xxxxxxxxxxxx> wrote:
> DER Vs Base 64 is not the correct trade-off.

Sorry, I didn't make that very clear.  The XML Signature spec says the
certificate is base64 encoded before it is inserted in the XML but it
says nothing about the encoding of the underlying certificate, so the
question is, what ASN.1 encoding should be applied to the certificate
before it is base64 encoded?

> An X.509 certificate is always DER encoded.

That is the answer I was looking for, yes (although not everyone seems
to agree).

> After that for transport, do you send this as binary or convert the
> binary as base 64 is the trade-off.

The certificate is always base64 encoded before it is inserted in the XML.

Thanks!

Tom

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of Tom Scavo
> Sent: Thursday, November 06, 2008 12:49 PM
> To: pkix
> Subject: encoding an X.509 certificate
>
>
> I've asked the following question in a number of forums with no luck.
> I'm hoping someone with intimate knowledge of ASN.1 encodings can help
> me out here.  Many thanks in advance.
>
> Currently there are three profiles before the OASIS Security Services
> Technical Committee (SSTC) that rely on XML elements of the form:
>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>  <ds:X509Data>
>   <ds:X509Certificate>
> MII...
>   </ds:X509Certificate>
>  </ds:X509Data>
> </ds:KeyInfo>
>
> Interestingly, the above element has sparked a vigorous debate within
> the SSTC, which has since spread to the W3C XML Signature WG.  The
> issue involves the ASN.1 encoding of the underlying certificate (which
> is base64 encoded in the XML).  Specifically, should the certificate
> be DER-encoded or should the encoding be left unspecified?
>
> So my question is:  If you were given an X.509 certificate of unknown
> encoding, could you determine the encoding by simply inspecting the
> bytes?  Does your favorite ASN.1 library support such a function?
>
> Thanks for shedding some light on this issue.
>
> Tom Scavo
> NCSA
>
>

Follow-Ups:
- RE: encoding an X.509 certificate
  - From: Santosh Chokhani

References:
- encoding an X.509 certificate
  - From: Tom Scavo
- RE: encoding an X.509 certificate
  - From: Santosh Chokhani

Prev by Date: Re: encoding an X.509 certificate
Next by Date: RE: encoding an X.509 certificate
Previous by thread: RE: encoding an X.509 certificate
Next by thread: RE: encoding an X.509 certificate
Index(es):
- Date
- Thread