[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: encoding an X.509 certificate

To: DPKemp@xxxxxxxxxxxxxx, ietf-pkix@xxxxxxx
Subject: RE: encoding an X.509 certificate
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Sat, 08 Nov 2008 20:21:07 +1300
In-reply-to: <C1A47F1540DF3246A8D30C853C05D0DA6B448A@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"Kemp, David P." <DPKemp@xxxxxxxxxxxxxx> writes:

>The same thing that happens to people who don't lint or bounds-check their C
>code - it works most of the time, so it must not matter if the code is
>actually correct.  "X.509 dogma" is just for anal people who want 100%
>reliability.

If you follow the spec in this regard you get 100% unreliability, not
reliability - your PKI application when shipped will break repeatedly whenever
it encounters a non-DER certificate, while everything else will work just
fine.  So "X.509 dogma" is for X.509 dogmatists and pretty much no-one else.

(I actually had a bit of trouble replying to this message, it's not often that
 you see the terms "100% reliability" and "X.509" used in the same sentence 
 (in fact this may be the first time I've ever seen it without a negation in
 there as well), there were so many ways I could have replied to this :-).

Peter.

Follow-Ups:
- Re: encoding an X.509 certificate
  - From: Timothy J. Miller

References:
- RE: encoding an X.509 certificate
  - From: Kemp, David P.

Prev by Date: I-D ACTION:draft-ietf-pkix-authorityclearanceconstraints-00.txt
Next by Date: RE: encoding an X.509 certificate
Previous by thread: RE: encoding an X.509 certificate
Next by thread: Re: encoding an X.509 certificate
Index(es):
- Date
- Thread