OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] disposition of query re DER encoding issue

On Mon, Nov 10, 2008 at 2:44 PM, Scott Cantor <cantor.2@osu.edu> wrote:
>> I sent a query re the DER encoding issue in the HoK Assertion Profile
>> to four external mailing lists.  By far, the best responses were
>> received from members of the PKIX Working Group:
> They appear to be mostly wrong, however, which is telling. Certificates are
> NOT always DER.

If you diligently read through to the end of that long thread, you'll
find that the group basically comes to the same conclusion.

> According to the xml-sec WG, there are in fact CA
> certificates that are BER, and that's one of their current arguments for not
> requiring DER.

Yes, that appears to be true, but it doesn't make it right.  A CA that
encodes other than DER is just plain wrong.  That said, there's not
much that can be done about it

> My current response is that making work for the recipient/verifier is not a
> good trade-off, and that the sender should bear that effort, but I don't
> know how successfully I'm arguing this.


> Of late, I'm taking the BER/DER tack and suggesting that since it seems like
> some code handles both automatically, the right dividing line is to lump
> those two together.

Hmm, that's like rewriting the law to fit the crime.  I'm not sure
what to think about it.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]