Re: encoding an X.509 certificate

[Stephen Kent <kent@xxxxxxx>]

At 8:22 PM -0500 11/12/08, Tom Gindin wrote:
>         "Conservative in what you produce" - CA code should generate DER.
> Not all such code does so, but it should.
>         "Liberal in what you accept" - RP code should verify signatures on
> the supplied binary TBSCertificate, rather than re-encoding.  For parsing
> code to accept BER which isn't valid DER is almost harmless.    There may
> well have been a good reason for believing that DER was more secure than
> BER against various digest collision or pre-image attacks when X.509v1 was
> in use and all certificate content had syntax verifiable by every RP (at
> least in theory).  With non-critical extensions, that is no longer the
> case.
>
>                 Tom Gindin

Tom,

I have to disagree. The standards call for DER to be used for 
signature generation and validation. They are generally silent on 
transport encoding. If we say that an RP should just try to verify 
the signature on whatever it receives, then we encourage (more) 
sloppy behavior by CAs. The preferred approach is for the RP to 
encode the received cert into DER before checking.

Steve