[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: encoding an X.509 certificate

To: Tom Scavo <trscavo@xxxxxxxxx>
Subject: Re: encoding an X.509 certificate
From: Ben Laurie <ben@xxxxxxxxx>
Date: Fri, 07 Nov 2008 08:19:51 +0000
Cc: Anders Rundgren <anders.rundgren@xxxxxxxxx>, pkix <ietf-pkix@xxxxxxx>
In-reply-to: <ea2af9bd0811061338w774b66ccid4812394a8d6f962@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <ea2af9bd0811050548v545182cew3827a95b007dc466@xxxxxxxxxxxxxx> <ea2af9bd0811060949t2462d9fdk93758a3e093502a1@xxxxxxxxxxxxxx> <> <ea2af9bd0811061125q362e20ccmedd1fd60d0c32bbb@xxxxxxxxxxxxxx> <49135547.70504@xxxxxxxxx> <ea2af9bd0811061338w774b66ccid4812394a8d6f962@xxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.4.0

Tom Scavo wrote:
> On Thu, Nov 6, 2008 at 3:36 PM, Ben Laurie <ben@xxxxxxxxx> wrote:
>> Obviously the signature will only verify if it is DER encoded. So,
>> there's generally not much point in supporting other encodings.
> 
> Well, that brings up a good point, which I neglected to make clear.
> The SAML profile that makes use of the XML structure posted earlier
> does not require that the certificate in question be validated by the
> receiving party.  The certificate is merely a container for a public
> key, for which the client proves possession of the corresponding
> private key, nothing more.
> 
> If the receiving party is a SAML identity provider, the presented
> certificate is bound to a SAML assertion (using the XML structure
> posted earlier).  If the receiving party is a SAML service provider,
> the presented certificate is compared to the certificate bound to the
> SAML assertion.  So the actual encoding applied to the certificate is
> not important, except of course the identity provider and the service
> provider need to be on the same page, otherwise certificate comparison
> at the service provider will fail.

If that's true, then your first paragraph is incorrect - all of the
certificate matters. However, if all you really care about is the public
key, why does the receiving party not just check that and ignore the
certificate?

> Obviously, if the identity provider is required to bind a base64
> encoding of a DER-encoded certificate, the service provider will have
> no problem (or so it seems), but there are some who are inclined not
> to specify DER explicitly, to future-proof the profile, as it were.
> 
> I hope this helps to clarify.  I had hoped to avoid the details but I
> see that may not be possible.
> 
> Thanks,
> Tom
> 
> 


-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Follow-Ups:
- Re: encoding an X.509 certificate
  - From: Tom Scavo

References:
- encoding an X.509 certificate
  - From: Tom Scavo
- Re: encoding an X.509 certificate
  - From: Anders Rundgren
- Re: encoding an X.509 certificate
  - From: Tom Scavo
- Re: encoding an X.509 certificate
  - From: Ben Laurie
- Re: encoding an X.509 certificate
  - From: Tom Scavo

Prev by Date: Re: encoding an X.509 certificate
Next by Date: Re: encoding an X.509 certificate
Previous by thread: Re: encoding an X.509 certificate
Next by thread: Re: encoding an X.509 certificate
Index(es):
- Date
- Thread