RE: encoding an X.509 certificate

["Santosh Chokhani" <SChokhani@xxxxxxxxxxxx>]

I stand corrected.

Certificate and signature could be encoded ways other than DER.  But, in
order to verify the signature you need to encode the payload in DER
since the signature is computed on DER.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Ben Laurie
Sent: Thursday, November 06, 2008 3:34 PM
To: Tom Scavo
Cc: pkix
Subject: Re: encoding an X.509 certificate


Tom Scavo wrote:
> I've asked the following question in a number of forums with no luck.
> I'm hoping someone with intimate knowledge of ASN.1 encodings can help
> me out here.  Many thanks in advance.
> 
> Currently there are three profiles before the OASIS Security Services
> Technical Committee (SSTC) that rely on XML elements of the form:
> 
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>  <ds:X509Data>
>    <ds:X509Certificate>
> MII...
>    </ds:X509Certificate>
>  </ds:X509Data>
> </ds:KeyInfo>
> 
> Interestingly, the above element has sparked a vigorous debate within
> the SSTC, which has since spread to the W3C XML Signature WG.  The
> issue involves the ASN.1 encoding of the underlying certificate (which
> is base64 encoded in the XML).  Specifically, should the certificate
> be DER-encoded or should the encoding be left unspecified?
> 
> So my question is:  If you were given an X.509 certificate of unknown
> encoding, could you determine the encoding by simply inspecting the
> bytes?  Does your favorite ASN.1 library support such a function?

Surely an X.509 certificate is, by definition, in DER?

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff