IETF Logo Mail Archive

Re: X.509 Extensions Enhancements

Dean Povey <povey@dstc.qut.edu.au> Wed, 13 June 2001 01:19 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA27702 for <pkix-archive@odin.ietf.org>; Tue, 12 Jun 2001 21:19:14 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f5D0WWJ21248 for ietf-pkix-bks; Tue, 12 Jun 2001 17:32:32 -0700 (PDT)
Received: from thunder.dstc.qut.edu.au (thunder.dstc.qut.edu.au [131.181.71.1]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f5D0WTJ21243 for <ietf-pkix@imc.org>; Tue, 12 Jun 2001 17:32:30 -0700 (PDT)
Received: from dstc.qut.edu.au (garnet.dstc.qut.edu.au [131.181.71.36]) by thunder.dstc.qut.edu.au (8.10.1/8.10.1) with ESMTP id f5D0Vfm23958; Wed, 13 Jun 2001 10:31:41 +1000 (EST)
Message-Id: <200106130031.f5D0Vfm23958@thunder.dstc.qut.edu.au>
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
To: Carlin Covey <ccovey@cylink.com>
cc: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org
Subject: Re: X.509 Extensions Enhancements
In-Reply-To: Message from "Carlin Covey" <ccovey@cylink.com> of "Tue, 12 Jun 2001 10:43:50 MST." <KHEDLMGGCCGHDAAKNAFOCEKDCAAA.ccovey@cylink.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 13 Jun 2001 10:31:41 +1000
From: Dean Povey <povey@dstc.qut.edu.au>
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>

>
>Russ,
>
>Thank you for pointing this out.  I had seen the flags in X.509 but
>didn't realize that they had not been incorporated into "son".
>
>But I have a comment concerning the DER encoding of the named bit string.
>Some people interpret X.680/690 as requiring that the DER encoding
>omit trailing zeros from such a named bit string.  I (with some concurrence
>from the X.509 folks) believe that this is an error.  X.680/690 say that
>trailing UNUSED bits are to be omitted.  

I am pretty sure it says to omit trailing zeros in bit fields, this means
that the DER in old implementations and new implementations will be the
same as it should be (although there are a very large number of vendors who
get this wrong and include trailing zeros (particularly in the KeyUsage 
extension.  If you are being strict about DER then you probably can't 
interoperate with anyone anyway :-).

But I'll restrain myself from grumbling about changing an extension syntax
and not changing the OID. This will break so many old implementations
unecessarily because while they could safely ignore non-critical extensions
that they don't understand, they are probably going to complain if they
parse extensions they recognise and find they contain data they don't
expect.

Oops, that wasn't showing much restraint was it :-).

-- 
Dean Povey,         | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit 
Research Scientist  | ph:  +61 7 3864 5120   | uPKI: C PKI toolkit for embedded
Security Unit, DSTC | fax: +61 7 3864 1282   |       systems
Brisbane, Australia | www: security.dstc.com |

v2.23.0 | Report a Bug | By Email