[Top] [All Lists]

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

2009-01-05 22:10:44

At 8:10 AM -0600 1/5/09, Timothy J. Miller wrote:
Ben Laurie wrote:

I am not suggesting that we should fix X.509, I am pointing out, in my
own roundabout way, that X.509 certs are supposed to have a canonical
form. But it seems they do not.

That was last month's major discussion on PKIX. The upshot: there's no canonical form other than what's in memory.

-- Tim


Your response is an oversimplification, in several respects.

Ben's comment was a bit ill-formed. It's not that certs in general do or do not have a canonical form, but whether a given cert has a canonical representation. If the cert has no extensions, then it does. If it has extensions, then since the top level extension syntax is a SEQUENCE, there the order of extensions in that sequence (when the cert was signed) is definitive. (if that syntax had called for a SET, then DER encoding would impose an order at this level, so use of the SEQUENCE construct here make life a bit easier.)

The context in which there is some disagreement is whether an extension needs to be DER encoded below the next level, where it is defined as an OCTET string. If one stops at the OCTET string level, the life is easy and an RP can always encode to DER upon receipt (since the base cert format IS known by all RPs and they are technically capable of encoding it in DER).

If one interprets X.509 to require DER for the lower levels of the structure of a cert extension, then a problem can arise. It was noted that a non-critical extension (which therefore ought not be rejected out of hand by an RP) might have a syntax unknown to an RP. Thus the RP needs to assume that what it received is DER encoded when computing the signature, as it has no way to recompute the DER.