IETF Logo Mail Archive

Re: X.509 Extensions Enhancements

Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de> Wed, 13 June 2001 08:57 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA17621 for <pkix-archive@odin.ietf.org>; Wed, 13 Jun 2001 04:57:23 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f5D88IZ22026 for ietf-pkix-bks; Wed, 13 Jun 2001 01:08:18 -0700 (PDT)
Received: from cdc-info.cdc.informatik.tu-darmstadt.de (cdc-info.cdc.informatik.tu-darmstadt.de [130.83.23.100]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f5D88GJ22022 for <ietf-pkix@imc.org>; Wed, 13 Jun 2001 01:08:16 -0700 (PDT)
Received: from cdc-ws1.cdc.informatik.tu-darmstadt.de (cdc-ws1 [130.83.23.82]) by cdc-info.cdc.informatik.tu-darmstadt.de (Postfix) with ESMTP id B4F642C89; Wed, 13 Jun 2001 10:08:15 +0200 (MET DST)
Received: (from moeller@localhost) by cdc-ws1.cdc.informatik.tu-darmstadt.de (8.9.3+Sun/8.9.3) id KAA12709; Wed, 13 Jun 2001 10:08:14 +0200 (MEST)
Date: Wed, 13 Jun 2001 10:08:14 +0200
From: Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>
To: Carlin Covey <ccovey@cylink.com>
Cc: "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org
Subject: Re: X.509 Extensions Enhancements
Message-ID: <20010613100813.B12609@cdc.informatik.tu-darmstadt.de>
Mail-Followup-To: Bodo Moeller <moeller@cdc.informatik.tu-darmstadt.de>, Carlin Covey <ccovey@cylink.com>, "Housley, Russ" <rhousley@rsasecurity.com>, ietf-pkix@imc.org
References: <5.0.1.4.2.20010612120440.02009ef8@exna07.securitydynamics.com> <KHEDLMGGCCGHDAAKNAFOCEKDCAAA.ccovey@cylink.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.2i
In-Reply-To: <KHEDLMGGCCGHDAAKNAFOCEKDCAAA.ccovey@cylink.com>; from ccovey@cylink.com on Tue, Jun 12, 2001 at 10:43:50AM -0700
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>
Content-Transfer-Encoding: 8bit

On Tue, Jun 12, 2001 at 10:43:50AM -0700, Carlin Covey wrote:

> Some people interpret X.680/690 as requiring that the DER encoding
> omit trailing zeros from such a named bit string.  I (with some concurrence
> from the X.509 folks) believe that this is an error.  X.680/690 say that
> trailing UNUSED bits are to be omitted.  Bits (7) and (8) WERE unused,
> and certificates issued in ignorance of the newly defined bits should
> omit them.  But certificates issued in cognizance of the newly defined bits
> should include these bits as either 1 or 0, as appropriate.

I have no idea how one could read this out of X.680 and X.690.

X.680 (12/97), section 21.7, says

     When a "NamedBitList" is used in defining a bitstring type ASN.1
     encoding rules are free to add (or remove) arbitrarily many
     trailing 0 bits to (or from) values that are being encoded or
     decoded.  Application designers should therefore ensure that
     different semantics are not associated with such values which
     differ only in the number of trailing 0 bits.

X.690 (12/97), section 11.2.2, says

     Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 21.7, applies, the
     bitstring shall have all trailing 0 bits removed before it is
     encoded.

(Section 11 is entitled "Restrictions on BER employed by both CER
and DER", section 11.2 is entitled "Unused bits".)

This looks pretty clear to me: Trailing zeros in named bit strings
are forbidden in DER, period.


-- 
Bodo Möller <moeller@cdc.informatik.tu-darmstadt.de>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036

v2.23.0 | Report a Bug | By Email