RE: [security-services] disposition of query re DER encoding issue

["Scott Cantor" <cantor.2@osu.edu>]

> I sent a query re the DER encoding issue in the HoK Assertion Profile
> to four external mailing lists.  By far, the best responses were
> received from members of the PKIX Working Group:

They appear to be mostly wrong, however, which is telling. Certificates are
NOT always DER. According to the xml-sec WG, there are in fact CA
certificates that are BER, and that's one of their current arguments for not
requiring DER.

My current response is that making work for the recipient/verifier is not a
good trade-off, and that the sender should bear that effort, but I don't
know how successfully I'm arguing this.

Of late, I'm taking the BER/DER tack and suggesting that since it seems like
some code handles both automatically, the right dividing line is to lump
those two together.

-- Scott