On Fri, Oct 3, 2008 at 2:09 PM, Turner, Sean P. <turners(_at_)ieca(_dot_)com>
wrote:
1. I was just following the conventions for SHA-1. I take it you're
suggesting we should break with those conventions?
This is something we debated back in the DSA days. The bottom line is
that we were younger and dumber back in the 90's for
AlgorithmIdentifier, and now we know that the parameters are an
optional field. So the bottom line is that new algorithms should be
absent parameters instead of encoded as NULL.
From RFC 2633:
2.2 SignatureAlgorithmIdentifier
Sending and receiving agents MUST support id-dsa defined in [DSS].
The algorithm parameters MUST be absent (not encoded as NULL).
So yeah, we're kind of jerks for carting around some of this NULL for
the older algorithms, but the rule of thumb is that "for any new
algorithms, the parameters are absent if there aren't any".
Blake
--
Blake Ramsdell | http://www.blakeramsdell.com