Re: Testing the ASN.1 in Part 1

[Russ Housley <housley@xxxxxxxxxx>]

You found a minor editorial error in the document, but not an ASN.1
error.

For some reason, CertificatePolicies is defined here and where it should
be.

The two lines with '*' at the front should be deleted:

   id-ce-policyConstraints
OBJECT IDENTIFIER ::=  { id-ce 36 }

*  CertificatePoliciesSyntax ::=
*                      
SEQUENCE SIZE (1..MAX) OF PolicyInformation

   PolicyConstraints ::= SEQUENCE {
       
requireExplicitPolicy          
[0] SkipCerts OPTIONAL,
       
inhibitPolicyMapping           
[1] SkipCerts OPTIONAL }

   SkipCerts ::= INTEGER (0..MAX)


Russ



At 03:47 PM 9/18/98 +1000, Dean Povey wrote:
>
>>
>>
>>>Anyone who plans to get around to checking the ASN.1 after
part 1 becomes
>>>an RFC: could you do it now instead? This would be a great
help to us all.
>>>Thanks!
>>>
>
>More bugs in PKIX1ImplictXX
>
>The ASN.1 for PolicyConstraints is incorrect. In both the 88 and 93
versions 
>it is specified as a SEQUENCE SIZE(1..MAX) OF SEQUENCE { ... }. 
This is 
>inconsistent with the X.509 definition and it also doesn't make any
sense for 
>it to be a SEQUENCE OF.  The definition of PolicyConstraints
should  be:
>
>PolicyConstraints ::= SEQUENCE {
>

       

requireExplicitPolicy

   

[0]
SkipCerts OPTIONAL,
>

       

inhibitPolicyMapping

    

[1]
SkipCerts OPTIONAL }
>
>Also the authorityInfoAccess OID is missing in the 88 module, it
should be:
>
>id-pe-authorityInfoAccess  OBJECT IDENTIFIER ::= { id-pe 1
}
>
>More as I find 'em :-).
>
>
>-- 
>Dean Povey,         | e-m:
povey@dstc.edu.au     | Cryptozilla:
>Research Scientist  | ph:  +61 7 3864
5120       | 
www.cryptozilla.org/
>Security Unit, DSTC | fax: +61 7 3864
1282       | Oscar - PKI Toolkit:
>Brisbane, Australia | www: security.dstc.edu.au/ | 
oscar.dstc.qut.edu.au/
>
>