[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzation spaces, registration practices

To: tls@xxxxxxxx
Subject: Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzation spaces, registration practices
From: Mike <mike-list@xxxxxxxxx>
Date: Sun, 31 Dec 2006 17:11:05 -0800
Cc:
In-reply-to: <BAY103-DAV10609A530D84AA68BD08B792C40@xxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <BAY103-DAV10609A530D84AA68BD08B792C40@xxxxxxx>
User-agent: Thunderbird 1.5.0.9 (Windows/20061207)

In TLS 1.1 however, we suddenly get constrained in 2006 re the encodingof the DNs. The field has tobe DER encoded, now. In SSL and TLS1.0 it was an opaque type (I.e. theformat/encoding is definedby the ClientCertificateType). (Tell Peter DER, and he assumes he has totype check it, now, as DER,raising an exception if it fails the encoding rules for each attributetype's value; this is a lot of code!)


I don't think you need to validate the DER encoding (or not) of the
distinguished names.  Just compare them to your own and if you find
a match, it must be DER encoded.  If you don't find a match, maybe
it wasn't DER encoded, or maybe your DN isn't supported.  Either way
you know what to do.

Mike

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzationspaces, registration practices
  - From: home_pw

References:
- [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzation spaces, registration practices
  - From: home_pw

Prev by Date: Re: [TLS] sending error alerts: MUST? SHOULD? MAY?
Next by Date: Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzationspaces, registration practices
Previous by thread: Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzation spaces, registration practices
Next by thread: Re: [TLS] TLS1.2: focus on non X.509 certs, cert URLs, authoirzationspaces, registration practices
Index(es):
- Date
- Thread