[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Hash values in OCSP


Hi Mars,
    Responses inline.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@xxxxxxxxxxxx
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: mars@xxxxxxxxxxxxxx [mailto:mars@xxxxxxxxxxxxxx]
> Sent: Wednesday, January 16, 2002 3:47 PM
> To: ietf-pkix@xxxxxxx
> Subject: Hash values in OCSP
> 
> 
> 
> I request your help in the following issues regarding RFC 2560:
> 
> 1. The IssuerNameHash has to be calculated using the DER 
> encoding of the
> issuer's name field EXACTLY as it appears in the target 
> certificate (the one
> being checked with OCSP)? Or is there a standard regarding 
> the order of the
> SETs in the RDN components?

It is the (correct and unique) DER encoding of the issuer's name.
That said, quite a few people incorrectly perform DER encoding
of DNs. If either you, or the responder you are relying upon,
incorrectly do the DER encoding, all bets are off.

> 
> 2. The IssuerKeyHash value must be calculated excluding tag 
> and length of
> the DER encoding
> of the subject public key field in the issuer's certificate. 
> Since it is
> encoded as a BIT STRING, are we required to include the first 
> contents octet
> (AKA the number of unused bits) in the input to the hash function?

As it turns out, all implementations that I know of, have EXCLUDED
the number of unused bits. I have clarified this in the version of
the spec set up to go to draft standard.

> 
> Thanks, best regards,
> 
> Miguel A. Rodriguez
> Software Engineer
> SeguriDATA
> Mexico
>