IETF Logo Mail Archive

Re: [pkix] Signature Verification and DER requirements

mrex@sap.com (Martin Rex) Fri, 15 May 2015 18:32 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69601A1EF7 for <pkix@ietfa.amsl.com>; Fri, 15 May 2015 11:32:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XW-b_WVMQlLW for <pkix@ietfa.amsl.com>; Fri, 15 May 2015 11:32:10 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C29431A1B7F for <pkix@ietf.org>; Fri, 15 May 2015 11:32:10 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id CB11D44D5D; Fri, 15 May 2015 20:32:08 +0200 (CEST)
X-purgate-ID: 152705::1431714728-00000B48-96870A52/0/0
X-purgate-size: 1042
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id B752D44565; Fri, 15 May 2015 20:32:08 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id AC93F1B2FB; Fri, 15 May 2015 20:32:08 +0200 (CEST)
In-Reply-To: <555602A4.50109@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Fri, 15 May 2015 20:32:08 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150515183208.AC93F1B2FB@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/ZNZFxTfqGR6FO31mOLl0_8SmAJc>
Cc: 'IETF PKIX' <pkix@ietf.org>
Subject: Re: [pkix] Signature Verification and DER requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 18:32:13 -0000

Stephen Farrell wrote:
> 
> Loooong ago there used be a few circumstances in which people
> unwisely BER encoded certificates.
>
>  [...]
> 
> In such a case your code might be presented with a BER encoding
> of a certificate (in the envelope) and have to reconstruct the
> DER encoding. I'd say it was a dumb idea even then but I think
> we ran into it. IIRC most other cases were really bugs, where
> people used the wrong inputs to ASN.1 encoders because they
> didn't know better or were lazy.
> 
> I would guess/hope all such code is long gone now though.

One of the (allegedly) popular public CAs (for TLS webserver certs)
seemed to be issuing non-ASN.1-DER certificate about a year ago.

http://www.ietf.org/mail-archive/web/tls/current/msg11845.html


But the more confusing issue about X.509 is that they managed
to screw up the definition of X.509v2 CRLs (with the
specified semantics for the optional TBSCertList version field),
that there exist two _different_ canonical ASN.1 DER encodings.

-Martin

v2.23.0 | Report a Bug | By Email