From: Christian Huitema
<Christian(_dot_)Huitema(_at_)sophia(_dot_)inria(_dot_)fr>
From pem-dev-request(_at_)magellan(_dot_)TIS(_dot_)COM Thu Feb 24 03:25:45 1994
2) subvert the X.509 certificate structure, e.g changing the name definition
from:
Name ::=
SEQUENCE OF
SET OF SEQUENCE {
att-type OBJECT IDENTIFIER,
att-value ANY DEFINED BY att-type}
to:
Name ::=
SEQUENCE OF
CHOICE {
x500classic SET OF SEQUENCE {
att-type OBJECT IDENTIFIER,
att-value ANY DEFINED BY att-type},
dnstoken IA5String }
In fact, I would tend to favour the second approach, for this is the one with
the smallest overhead and also the smallest insertion of "arbitrary
information".
There is no need to do this.
The Name definition is in fact already a CHOICE at the outermost
level. From 1988 X.501,
NAME ::= CHOICE { --- Only One Possibility for now ---
RDNSequence }
RDNSequence is what you have given as the ASN.1 for Name.
So, since now is already past (it is 1994), why not
NAME ::= CHOICE {
x500classic RDNSequence,
dnstoken IA5String}
Or even better, to be completely general, instead of IA5String,
we can have a
{OID, OCTET STRING}
combination, where OID identifies a name space (e.g DNS) and OCTET
STRING is the natural representation of the name in that name space.
All of this can be done without subverting anything.
Ashar.