[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] Encoding of INTEGER fields in PKIX

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] Encoding of INTEGER fields in PKIX
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Tue, 16 Dec 1997 09:34:04 -0500
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Thanks to all who replied, either publicly or privately, to my question
on INTEGER encoding.

The consensus was unanimous (a rare event!) that:

  a) cryptographic bignums should *not* be typecast to signed integers at
     the ASN.1 coding interface, and therefore must always be encoded
     such that the MSBit is zero,

  b) most current software and the certs floating around are wrong, and

  c) it was a mistake to use INTEGER for cryptographic keys, parameters,
     signatures, etc, and that these fields should have been defined as
     OCTET STRING or BIT STRING when the algorithmIdentifiers were
     created.

I will therefore correct the PKIX part 1 examples to add a leading 00
octet where needed, and hope that future algorithmIdentifier definitions
will use OCTET STRING instead of INTEGER.

Is it too late for x9 to assign new OIDs for dsa and rsa using OCTET STRING
values, and have PKIX recommend support for the new algorithmIds?

Follow-Ups:
- Re: [IETF-PKIX] Encoding of INTEGER fields in PKIX
  - From: John Lowry

Prev by Date: Re: [IETF-PKIX] Terminology - Cross-Certification
Next by Date: [IETF-PKIX] account-authority digitial signature .... fyi
Previous by thread: [IETF-PKIX] OCSP Change Request
Next by thread: Re: [IETF-PKIX] Encoding of INTEGER fields in PKIX
Index(es):
- Date
- Thread