Eric Rescorla <ekr(_at_)networkresonance(_dot_)com> writes:
So, what's the right answer here?
Read the OID and hash value, toss the rest. Doing anything else is just
asking for trouble.
(There's really no question here: There are two ways to do this, knowing in
advance what you'll encounter in the field isn't possible, so the only
workable solution is to not compare the encoded value, or if you must,
compare two pre-encoded alternatives for each possible hash algorithm. This
still breaks though if someone gets the encoding slightly wrong... comparing
a pre-built value is just asking for trouble).
My understanding from discussions in Prague is that this reflects NIST's
current guidance as well.
This would put them in conflict with ISO, who (the last time I checked) say
the parameter should be omitted. In any case though it doesn't really matter
which side wants to hold their breath the longest, if you read the OID and
hash and work with that you can't go wrong.
Peter.