[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] disposition of query re DER encoding issue
On Mon, Nov 10, 2008 at 2:44 PM, Scott Cantor <cantor.2@osu.edu> wrote: >> I sent a query re the DER encoding issue in the HoK Assertion Profile >> to four external mailing lists. By far, the best responses were >> received from members of the PKIX Working Group: > > They appear to be mostly wrong, however, which is telling. Certificates are > NOT always DER. If you diligently read through to the end of that long thread, you'll find that the group basically comes to the same conclusion. > According to the xml-sec WG, there are in fact CA > certificates that are BER, and that's one of their current arguments for not > requiring DER. Yes, that appears to be true, but it doesn't make it right. A CA that encodes other than DER is just plain wrong. That said, there's not much that can be done about it > My current response is that making work for the recipient/verifier is not a > good trade-off, and that the sender should bear that effort, but I don't > know how successfully I'm arguing this. Agreed. > Of late, I'm taking the BER/DER tack and suggesting that since it seems like > some code handles both automatically, the right dividing line is to lump > those two together. Hmm, that's like rewriting the law to fit the crime. I'm not sure what to think about it. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]