At Sat, 07 Apr 2007 19:01:26 +1200,
Peter Gutmann wrote:
Eric Rescorla <ekr(_at_)networkresonance(_dot_)com> writes:
So, what's the right answer here?
Read the OID and hash value, toss the rest. Doing anything else is just
asking for trouble.
(There's really no question here: There are two ways to do this, knowing in
advance what you'll encounter in the field isn't possible, so the only
workable solution is to not compare the encoded value, or if you must,
compare two pre-encoded alternatives for each possible hash algorithm. This
still breaks though if someone gets the encoding slightly wrong... comparing
a pre-built value is just asking for trouble).
Totally agree.
My question was more what we ought to recommend.
-Ekr