[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem verifying a signed message

----- Original Message -----
From: "Pawling, John" <John.Pawling@xxxxxxxxxxxxxxxx>
To: "'John Stark'" <jas@xxxxxxxxxxxx>; <imc-sfl@xxxxxxx>
Cc: "Jim Craigie" <Jim.Craigie@xxxxxxxxxxxxxx>; "David Lamkin"
Sent: Tuesday, March 19, 2002 5:08 PM
Subject: RE: Problem verifying a signed message

> Thank you for your feedback.  The SFL implements RFC 2630.  RFC 2630 CMS
> son-of-RFC 2630 (rfc2630bis-07.txt) specify the 1988 X.509 Recommendation
> the authoritative source for defining the DER.

... which was careless of them, since by the time RFC 2630 was published
(June 1999), X.690 (1997) had already been published, not to mention both
the 1993 and 1997 versions of X.509 that supersede the 1988 version.

> We are in the process of
> investigating if there is a backwards compatibility issue between the DER
> defined in X.690 and the 1988 X.509 Recommendation.  We will provide a
> detailed reply as soon as possible.

I very much doubt it.  Section 8.7 e) of X.509 (1988) states:

 "e)  the components of a Set-of type shall be encoded in ascending order of
their octet value;"

To my mind, this wording, though again vague, still implies that the tag and
length octets should be included for comparison purposes.  The "octet value"
of a SET-OF component consists of the complete tag, length and contents
octets (which in turn may contain tag and length octets in the case of
constructor elements).

The wording in X.509 (1993) is identical, though the section number has
changed.  I have found no source that positively implies that the tag and
length of SET-OF elements should be ignored for comparison purposes in DER

John Stark
E-mail: jas@xxxxxxxxxxxx
Tel: +44 (0) 1223 566732
Fax: +44 (0) 1223 566727
Mobile: +44 (0) 7968 110628