At 8:10 AM -0600 1/5/09, Timothy J. Miller wrote:
Ben Laurie wrote:
I am not suggesting that we should fix X.509, I am pointing out, in my
own roundabout way, that X.509 certs are supposed to have a canonical
form. But it seems they do not.
That was last month's major discussion on PKIX. The upshot: there's
no canonical form other than what's in memory.
-- Tim
Tim,
Your response is an oversimplification, in several respects.
Ben's comment was a bit ill-formed. It's not that certs in general do
or do not have a canonical form, but whether a given cert has a
canonical representation. If the cert has no extensions, then it
does. If it has extensions, then since the top level extension syntax
is a SEQUENCE, there the order of extensions in that sequence (when
the cert was signed) is definitive. (if that syntax had called for a
SET, then DER encoding would impose an order at this level, so use
of the SEQUENCE construct here make life a bit easier.)
The context in which there is some disagreement is whether an
extension needs to be DER encoded below the next level, where it is
defined as an OCTET string. If one stops at the OCTET string level,
the life is easy and an RP can always encode to DER upon receipt
(since the base cert format IS known by all RPs and they are
technically capable of encoding it in DER).
If one interprets X.509 to require DER for the lower levels of the
structure of a cert extension, then a problem can arise. It was noted
that a non-critical extension (which therefore ought not be rejected
out of hand by an RP) might have a syntax unknown to an RP. Thus the
RP needs to assume that what it received is DER encoded when
computing the signature, as it has no way to recompute the DER.
Steve