On Mon, Nov 10, 2008 at 2:44 PM, Scott Cantor <cant...@osu.edu> wrote:
I sent a query re the DER encoding issue in the HoK Assertion Profile
to four external mailing lists. By far, the best responses were
received from members of the PKIX Working Group:
They appear to be mostly wrong, however, which is telling. Certificates are
NOT always DER.
If you diligently read through to the end of that long thread, you'll
find that the group basically comes to the same conclusion.
According to the xml-sec WG, there are in fact CA
certificates that are BER, and that's one of their current arguments for not
Yes, that appears to be true, but it doesn't make it right. A CA that
encodes other than DER is just plain wrong. That said, there's not
much that can be done about it
My current response is that making work for the recipient/verifier is not a
good trade-off, and that the sender should bear that effort, but I don't
know how successfully I'm arguing this.
Of late, I'm taking the BER/DER tack and suggesting that since it seems like
some code handles both automatically, the right dividing line is to lump
those two together.
Hmm, that's like rewriting the law to fit the crime. I'm not sure
what to think about it.