Re: [pkix] World's smallest well-formed certificate

Annie <a.yousar@informatik.hu-berlin.de> Thu, 19 May 2016 13:14 UTC

Return-Path: <a.yousar@informatik.hu-berlin.de>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43A8512D0FF for <pkix@ietfa.amsl.com>; Thu, 19 May 2016 06:14:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.727
X-Spam-Level:
X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=informatik.hu-berlin.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KSe3LHnOXxBI for <pkix@ietfa.amsl.com>; Thu, 19 May 2016 06:14:13 -0700 (PDT)
Received: from mailout1.informatik.hu-berlin.de (mailout1.informatik.hu-berlin.de [141.20.20.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D7F612D15C for <pkix@ietf.org>; Thu, 19 May 2016 06:14:13 -0700 (PDT)
Received: from mailbox.informatik.hu-berlin.de (mailbox [141.20.20.63]) by mail.informatik.hu-berlin.de (8.14.7/8.14.7/INF-2.0-MA-SOLARIS-2.10-25) with ESMTP id u4JDE7II003918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 19 May 2016 15:14:08 +0200 (MEST)
Received: from [192.168.2.115] (p4FDADF1C.dip0.t-ipconnect.de [79.218.223.28]) (authenticated bits=0) by mailbox.informatik.hu-berlin.de (8.14.7/8.14.7/INF-2.0-MA-SOLARIS-2.10-AUTH-26-465-587) with ESMTP id u4JDE6tr003912 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 19 May 2016 15:14:07 +0200 (MEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=informatik.hu-berlin.de; s=mailbox; t=1463663647; bh=UB2bsRKCn+qtDP7guGfXm1pCSnCwYnkfCFYEeBfM+jc=; h=Subject:To:References:From:Cc:Date:In-Reply-To; b=JHkO+o2w3+NXqz6hL1ZoPzew+nJCKKMavbS7O+TrV7HUtx6enUrFsza450YcxRc7n wvzaIePQbLhIw4e/ZJdXWa1jZQmWUoyPUVTWJg4r0V9KzhcF7CErHDFnN5NWExXvDe P9c5GcDZTfzVHPEr9URFdwmkTZ/HK1RJy9WL8/7E=
To: Rob Stradling <rob.stradling@comodo.com>
References: <7b8c0b5a-2133-b094-2d09-e37efae98994@seantek.com> <af723bb1-9cf6-d18d-7d0a-3c709daa0a94@comodo.com> <CA+i=0E78phJHizoOniU3+wrJBWKbLhCKwZKVF5oLC0xwqV74GQ@mail.gmail.com> <fb33f32a-531b-5091-6fe2-53f6c92867fd@comodo.com>
From: Annie <a.yousar@informatik.hu-berlin.de>
Message-ID: <0a1a9e85-3e23-f4f6-1a9b-48e566e1b2af@informatik.hu-berlin.de>
Date: Thu, 19 May 2016 15:14:03 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <fb33f32a-531b-5091-6fe2-53f6c92867fd@comodo.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.98.4 at mailbox
X-Virus-Status: Clean
X-Greylist: Sender succeeded STARTTLS authentication, not delayed by milter-greylist-4.5.1 (mail.informatik.hu-berlin.de [141.20.20.50]); Thu, 19 May 2016 15:14:08 +0200 (MEST)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/0t12q0OrSsnMnL2tBugzhRPQj2Y>
Cc: pkix@ietf.org
Subject: Re: [pkix] World's smallest well-formed certificate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2016 13:14:16 -0000

There are many and not only one smallest certificate, any serial number
less than 128 give a same length cert. The same applies for the validity
time.

Note that my cert
-----BEGIN CERTIFICATE-----
MDwwMgIBfzADBgEAMAAwGhcLMTYwNTE4MDEwMVoXCzE3MDUxODAyMDJaMAAwCDAD
BgEAAwEAMAMGAQADAQA=
-----END CERTIFICATE-----

is only 60 bytes log, therefore Ann wins.
Explanation: the seconds in UTC time are optional.

/Ann.

Am 18.05.2016 um 15:20 schrieb Rob Stradling:
> On 18/05/16 14:01, Erwann Abalea wrote:
>> Bonjour,
>>
>> Your examples have serial numbers encoded with a zero length, this is
>> not DER compliant.
>> The Name type used for issuer and subject is an unconstrained SEQUENCE
>> OF, so in theory it can be empty and be well-formed (from a DER point of
>> view).
> 
> Good points.
> 
>> My proposal, 66 octets:
>> -----BEGIN CERTIFICATE-----
>> MEAwNgIBADADBgEAMAAwHhcNMTYwNTE4MDAwMDAwWhcNMTcwNTE4MDAwMDAwWjAA
>> MAgwAwYBAAMBADADBgEAAwEA
>> -----END CERTIFICATE-----
> 
> Erwann wins.  ;-)
>