"Pawling, John" wrote:
The Certificate ASN.1 syntax definitions in the PKIX and X.509 specs are
equivalent (i.e. they produce identical hex ASN.1 encodings), so it doesn't
matter to me which spec is referenced.
However, the AttributeCertificate syntax is an issue. RFC 2630 imports the
AttributeCertificate syntax from the 1997 X.509 Recommendation. The
AttributeCertificate syntax defined in the draft 2000 X.509 Recommendation
(X.509_4thEditionDraftV7, 23 Feb 2001) and PKIX AC Profile
(draft-ietf-pkix-ac509prof-06.txt, 10 Jan 2001) is incompatible with the
AttributeCertificate syntax defined in the 1997 X.509 Recommendation.
Recommend that the son-of-RFC2630 and symkeydist ASN.1 modules should import
the AttributeCertificate syntax defined in the draft 2000 X.509
Recommendation and PKIX AC Profile (again, it doesn't matter to me which
spec is referenced).
I'm trying to work out whether that statement implies that the draft2000
X.509 Recommendation and the PKIX AC profile are compatible :-)
I sent a query about that to the PKIX list without response a while ago.
There seems to be one (unintentional?) incompatibility at least. The
PKIX draft has in the ASN1 module (Appendix B):
DEFINITIONS EXPLICIT TAGS ::=
whereas the X509 2000 draft has:
DEFINITIONS IMPLICIT TAGS ::=
The 1997 X.509 recommendation apparently does not change the default
tagging which would mean it should be EXPLICIT.
I've only ever seen one example of an attribute certificate and that
used default EXPLICIT tagging but it was broken in another separate way.
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: drh(_at_)celocom(_dot_)com PGP key: via homepage.