Re: [security-services] disposition of query re DER encoding issue - Tom Scavo - org.oasis-open.lists.security-services

4 messages in org.oasis-open.lists.security-servicesRe: [security-services] disposition o...

From	Sent On	Attachments
Tom Scavo	Nov 10, 2008 10:50 am
Scott Cantor	Nov 10, 2008 11:44 am
Tom Scavo	Nov 10, 2008 12:15 pm
Scott Cantor	Nov 10, 2008 1:10 pm

Subject:	Re: [security-services] disposition of query re DER encoding issue
From:	Tom Scavo (trsc...@gmail.com)
Date:	Nov 10, 2008 12:15:00 pm
List:	org.oasis-open.lists.security-services

On Mon, Nov 10, 2008 at 2:44 PM, Scott Cantor <cant...@osu.edu> wrote:

I sent a query re the DER encoding issue in the HoK Assertion Profile to four external mailing lists. By far, the best responses were received from members of the PKIX Working Group:

They appear to be mostly wrong, however, which is telling. Certificates are NOT always DER.

If you diligently read through to the end of that long thread, you'll find that the group basically comes to the same conclusion.

According to the xml-sec WG, there are in fact CA certificates that are BER, and that's one of their current arguments for not requiring DER.

Yes, that appears to be true, but it doesn't make it right. A CA that encodes other than DER is just plain wrong. That said, there's not much that can be done about it

My current response is that making work for the recipient/verifier is not a good trade-off, and that the sender should bear that effort, but I don't know how successfully I'm arguing this.

Agreed.

Of late, I'm taking the BER/DER tack and suggesting that since it seems like some code handles both automatically, the right dividing line is to lump those two together.

Hmm, that's like rewriting the law to fit the crime. I'm not sure what to think about it.

Tom

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets