From: Russ Housley <housley(_at_)spyrus(_dot_)com>
All:
The current ASN.1 syntax of attribute is actually a bit of a problem. If
an attribute is encountered that is unknown, the ASN.1 decoder might die.
To avoid this problem, X.509v3 extensions all have a type of OCTET STRING.
These extensions require a second decode pass to extract the extension
value from the OCTET STRING.
Can some folks with real life implemntation experience of ANY offer
suggestions?
Russ
This might be a problem for some implementations, but it doesn't have
to be.
X.509 has three extensible object classes: certificate extensions,
algorithms (as used in algorithmIdentifier), and RDN attributes. Only
certificate extensions are encapsulated in an OCTET STRING hole.
If one wants a robust certificate decoder, one must be prepared to find
unrecognized data in the other two classes.
At one point my certificate decoder was not robust :-). But I believe
it can handle anything now without croaking. At least it deals
correctly with all instances of unsupported data types that have been
thrown at it so far.