I am editing the revision a certificate specification for the national
Swedish Electronic Identity Card (see www.seis.se), to harmonize it with
the certificate specifications of PKIX-1 and S/MIME. I am also going to
include examples of DER-coded certificates. In that context I have come
across different ways of encoding the subjectAltName rfc822Name
extension. The question is: Should it use IMPLICIT or EXPLICIT tags?
Below are two extracts from PKIX-1, which uses IMLICIT in one example
and EXPLICIT in another.
Which way has it been implemented in existing S/MIME products? Can they
handle both IMPLICIT and EXPLICIT coding of rfc822Name?
Here are the examples from PKIX-1:
------------------------ IMPLICIT TAG:
------------------------------------------
0606 a3 1d 29: . . [3]
0608 30 1b 27: . . . SEQUENCE
0610 30 19 25: . . . . SEQUENCE
0612 06 03 3: . . . . . OID 2.5.29.17: subjectAltName
0617 04 12 18: . . . . . OCTET STRING
: 30 10 81 0e 77 70 6f 6c 6b 40 6e 69 73 74 2e 67
: 6f 76
0000 30 10 16: SEQUENCE
0002 81 0e 14: . [1]
: 77 70 6f 6c 6b 40 6e 69 73 74 2e 67 6f 76
Note: This subjectAltName data is IMPLICIT TAGS - is that correct? (this
note is taken from PKIX-1!)
-----------------------EXPLICIT TAG:
----------------------------------------------------
30 3d
id-ce-subjectAltName = { 2 5 29 17 }
06 03 55 1d 11
by default, critical = FALSE
octet string
04 36
30 34
rfc822name
a1 1a
IA5String "escert-upc(_at_)escert(_dot_)upc(_dot_)es"
16 18 65 73 63 65 72 74 2d 75 70 63 40 65 73
63
65 72 74 2e 75 70 63 2e 65 73
---------------------------------------------------------------
I have consulted different experts and of course received different
reponses:
Response A:
The Certificate Extensions module uses specifies IMPLICIT tags
('DEFINITIONS IMPLICIT TAGS ::= BEGIN ...). Hence, IMPLICIT tags must
be used for selecting the 'rfc822Name' (e-mail) choice in the
'subjectAltName' extension.
Response B:
That is an example of where the "gotcha" rule on IMPLICIT tagging
applies :-)
X.680 section 28.6:
The tagging construction specifies explict tagging if any of the
following holds:
a) ..
b) ..
c) the "Tag Type" alternative is used an the value of TagDefault for
the module is "IMPLICIT TAGS" or "AUTOMATIC TAGS", but the type
defined by "Type" is a choice type, open type, or a
DummyReference.
so even in an IMPLICIT TAGS module, GeneralName (a CHOICE) is encoded
using explicit tagging, as shown in the PKIX-1 example.
Response C:
In the definition of GeneralName we have
rfc822Name [1] IA5String,
directoryName [4] Name,
And from X.680:
c) the "Tag Type" alternative is used an the value of TagDefault
for
the module is "IMPLICIT TAGS" or "AUTOMATIC TAGS", but the type
defined by "Type" is a choice type, open type, or a
DummyReference.
With rfc822name, the Type is IAString, which means that IMPLICIT should
be used
BUT for directoryName the Type is Name, which is a CHOICE, which means
that EXPLICIT should be used.
------------------------------------------------------------------------
------------------------------------
Looking forward to your help!
Hans Nilsson
AU-System
Stockholm, Sweden