On Tue, 3 Feb 1998, Nilsson Hans wrote:
I am editing the revision a certificate specification for the national
Swedish Electronic Identity Card (see www.seis.se), to harmonize it with
the certificate specifications of PKIX-1 and S/MIME. I am also going to
include examples of DER-coded certificates. In that context I have come
across different ways of encoding the subjectAltName rfc822Name
extension. The question is: Should it use IMPLICIT or EXPLICIT tags?
Below are two extracts from PKIX-1, which uses IMLICIT in one example
and EXPLICIT in another.
[...]
Response A:
The Certificate Extensions module uses specifies IMPLICIT tags
('DEFINITIONS IMPLICIT TAGS ::= BEGIN ...). Hence, IMPLICIT tags must
be used for selecting the 'rfc822Name' (e-mail) choice in the
'subjectAltName' extension.
Correct, for the PKIX1 module is defined with IMPLICIT TAGS and
'rfc822Name' is neither an open type nor a CHOICE type.
Response B:
That is an example of where the "gotcha" rule on IMPLICIT tagging
applies :-)
X.680 section 28.6:
The tagging construction specifies explict tagging if any of the
following holds:
a) ..
b) ..
c) the "Tag Type" alternative is used an the value of TagDefault for
the module is "IMPLICIT TAGS" or "AUTOMATIC TAGS", but the type
defined by "Type" is a choice type, open type, or a
DummyReference.
so even in an IMPLICIT TAGS module, GeneralName (a CHOICE) is encoded
using explicit tagging, as shown in the PKIX-1 example.
The quote from X.680 is correct, but the conclusion drawn is incorrect
because GeneralName is nowhere used in PKIX1 as a tagged type (You can't
explicitly or implicitly tag a type unless it is a tagged type.)
In other words, you will notice that in PKIX1 GeneralName is never
referenced as a tagged type, as opposed to GeneralNames which is often
referenced as a tagged type. Thus, in PKIX1 GeneralName should under no
circumstance be encoded using explicit tagging.
Response C:
In the definition of GeneralName we have
rfc822Name [1] IA5String,
directoryName [4] Name,
And from X.680:
c) the "Tag Type" alternative is used an the value of TagDefault
for
the module is "IMPLICIT TAGS" or "AUTOMATIC TAGS", but the type
defined by "Type" is a choice type, open type, or a
DummyReference.
With rfc822name, the Type is IAString, which means that IMPLICIT should
be used
BUT for directoryName the Type is Name, which is a CHOICE, which means
that EXPLICIT should be used.
This too is correct!
--------------------------------------------------------------------------
Bancroft Scott Toll Free :1-888-OSS-ASN1
Open Systems Solutions, Inc. International:1-609-987-9073
baos(_at_)oss(_dot_)com Tech Support
:1-732-249-5107
http://www.oss.com Fax :1-732-249-4636