ASN.1 Name joys

[Robert Moskowitz <rgm-sec@xxxxxxxxxxxxxxx>]

I have just completed a 3 day CMP2000 interop workshop (email me if you 
wish to participate in the next one 1st week in June).

In the days preceeding and during we yet again had vendors experiencing 
ASN.1 coding problems with Name.

I have had threads as follows:

=============================================================

now I have examined the problem [with your ir] in more detail: Our Code
has problems with the field 'subject' [5] in the CertTemplate: The subject
is a NAME and the default for tagging in the CertTemplate SEQUENCE
is IMPLICIT.

Now the problem is, that the NAME  is a CHOICE and for a CHOICE
it is not allowed to use IMPLICIT tagging (see the ASN.1 specification).
So, in the case of  NAME one has to use an EXPLICIT tagging.

=============================================================

Then I get others like:

=============================================================

my interpretation of the PKIHeader->sender/recipient field was
as follows:

both sender and recipient are defined to be of type GeneralName...

     PKIHeader ::= SEQUENCE {
         pvno                INTEGER     { ietf-version2 (1) },
         sender              GeneralName,
         -- identifies the sender
         recipient           GeneralName,
         -- identifies the intended recipient
         messageTime     [0] GeneralizedTime         OPTIONAL,
         <snip>

which is defined in the IMPORTS as:  FROM PKIX1Implicit88

which is defined in RFC-2459 as:

GeneralName ::= CHOICE {
     otherName                       [0]     AnotherName,
     rfc822Name                      [1]     IA5String,
     dNSName                         [2]     IA5String,
     x400Address                     [3]     ORAddress,
     directoryName                   [4]     Name,
     ediPartyName                    [5]     EDIPartyName,
     uniformResourceIdentifier       [6]     IA5String,
     iPAddress                       [7]     OCTET STRING,
     registeredID                    [8]     OBJECT IDENTIFIER }

therefore it should be tagged as IMPLICIT
and, it can be any number of underlying structures.

so, a Name, although a SEQUENCE by definition, would be implicitly tagged
as [4] { SET{}  SET{} ... }, not SEQUENCE { SET{}  SET{} ... }

otherwise, the underlying name type would not be so easily determined.

=============================================================

As you might imagine, it is challenging to work on CMP interoperablity when 
there are questions about 2459 conformance.

Not everyone will be (or want to be) ASN.1 war heros.

What can we do with 2459bis to stop the flow of coding errors????

Do we need an informational RFC giving ASN.1 coding rules so that people do 
not have to get the X. whatever???

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com