[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: encoding an X.509 certificate

To: "Ben Laurie" <ben@xxxxxxxxx>
Subject: Re: encoding an X.509 certificate
From: "Tom Scavo" <trscavo@xxxxxxxxx>
Date: Thu, 6 Nov 2008 16:38:13 -0500
Cc: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>, pkix <ietf-pkix@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=yVcR467vTZbjPPVEUwtG+F/W/8IjPC9vf+6u/ZV8FYA=; b=jIXVlThbvxv6QEodL18aVb4A7DKNSKC6oWdJxlnFyUqji/VHx/p5P/Aw/DxdJP1PFy QdRE7CHgqo5pzzBP2I/DIB5yBQoq6pAhUwFK5wAxp60hECtm99ZNKHD67YvCf+ip+Aji BLNvL7XpGZZF65DEXmXmSwBOmiG8fn/aHAXaA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=WKRYrJTk+HT/a+31LApvQgfFZu5QM4s7Z4CZB3OwKqdkDZy8i3AQLSDLb315VBj297 TGZKcozRo1E/+ZAId1a+RPBWj4iqdxeTuASYZC9DDWLGC1Y7QwoCdFyI7Psk2kF2o8mZ +h791ksn7XD9lYyZWi68TyHF1LWaRBdCVk/mk=
In-reply-to: <49135547.70504@xxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <ea2af9bd0811050548v545182cew3827a95b007dc466@xxxxxxxxxxxxxx> <ea2af9bd0811060949t2462d9fdk93758a3e093502a1@xxxxxxxxxxxxxx> <> <ea2af9bd0811061125q362e20ccmedd1fd60d0c32bbb@xxxxxxxxxxxxxx> <49135547.70504@xxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

On Thu, Nov 6, 2008 at 3:36 PM, Ben Laurie <ben@xxxxxxxxx> wrote:
>
> Obviously the signature will only verify if it is DER encoded. So,
> there's generally not much point in supporting other encodings.

Well, that brings up a good point, which I neglected to make clear.
The SAML profile that makes use of the XML structure posted earlier
does not require that the certificate in question be validated by the
receiving party.  The certificate is merely a container for a public
key, for which the client proves possession of the corresponding
private key, nothing more.

If the receiving party is a SAML identity provider, the presented
certificate is bound to a SAML assertion (using the XML structure
posted earlier).  If the receiving party is a SAML service provider,
the presented certificate is compared to the certificate bound to the
SAML assertion.  So the actual encoding applied to the certificate is
not important, except of course the identity provider and the service
provider need to be on the same page, otherwise certificate comparison
at the service provider will fail.

Obviously, if the identity provider is required to bind a base64
encoding of a DER-encoded certificate, the service provider will have
no problem (or so it seems), but there are some who are inclined not
to specify DER explicitly, to future-proof the profile, as it were.

I hope this helps to clarify.  I had hoped to avoid the details but I
see that may not be possible.

Thanks,
Tom

Follow-Ups:
- Re: encoding an X.509 certificate
  - From: Ben Laurie
- Re: encoding an X.509 certificate
  - From: Steven Legg
- Re: encoding an X.509 certificate
  - From: Anders Rundgren

References:
- encoding an X.509 certificate
  - From: Tom Scavo
- Re: encoding an X.509 certificate
  - From: Anders Rundgren
- Re: encoding an X.509 certificate
  - From: Tom Scavo
- Re: encoding an X.509 certificate
  - From: Ben Laurie

Prev by Date: RE: encoding an X.509 certificate
Next by Date: Re: encoding an X.509 certificate
Previous by thread: Re: encoding an X.509 certificate
Next by thread: Re: encoding an X.509 certificate
Index(es):
- Date
- Thread