This is definitely a problem with the definition of DER in X.509. It is not
addressed in X.509 (93) or in ISO 8825-3 (CER and DER) either.
I disagree. Neither DER nor CER are responsible for this problem. In general
it
is possible and perfectly legal to assign different semantics to omission of a
sequence versus the presence of an empty sequence. Since these can be used to
mean different things is not the job of the encoding rules to make these
produce the same bits on the wire. In fact, it would be illegal for an
encoding
to do this because important semantics could actually be lost.
Different semantics should be expressed in different ASN.1 definitions instead
of
using different encodings of the same ASN.1 definition. If you do the latter,
you will always have problems of that kind again. ASN.1 encoders normally don't
know the semantic context. They get an ASN.1 statement as input, and they
produce
a code. The purpose of DER is to ensure that a particular ASN.1 definition
leads
to a unique encoding. If the same ASN.1 statement can lead to two legal
encodings,
the encoding is not 'distinguished' in the sense of DER. I also don't see the
difference (with respect to DER) between the DEFAULT notation which is addressed
by DER and the OPTIONAL notation which is not.
However, I think pem-dev is not the right place to discuss these ASN.1 matters,
and our particular CRL problem must be solved in RFC 1422 anyway, as outlined
by
Steve in a previous message. Sorry for waisting this mailing list with these
issues.
Ned
Wolfgang