From: "Paul C. Clark" <paul(_at_)tis(_dot_)com>
> Jeff,
>
> My copy of the RFC specifies the revokedCertificates element as OPTIONAL.
> This means that if there are no entries then there is no encoding and
> therefore the NULL does not belong.
>
> John
>
This is an interesting interpretation. One might also argue that
"optional" implies that either form (with and without the NULL)
is correct, and that the decoding routine should be smart enough
to handle both cases.
I am trying to understand where an interpretation of replacing an empty OPTIONAL
element with a NULL (defined type) comes from. Can you provide any support
for your statement ?
Your suggestion that either form is acceptable is wrong. The Distinguished
Encoding Rules
provide a canonical encoding. Any such interpretation would result in DER
becoming non-canonical.
I cite section 37.6 of X.208, in particular paragraph 37.6.9 and subparagraphs.
Since both crls and certs have a well defined structure, we
chose to encode with the null and eliminate ambiguity in the
general case where an oid might appear more than once within
an encoded object.
I reject the idea that ambiguity arises from the presence or lack of OPTIONAL
elements. The syntax is clear. I make the counter-argument that presence of
an
explicit NULL in place of an empty OPTIONAL element inserts ambiguity.
At this point I guess I would be interested to get Steve Kent's
interpretation...
Paul