Re: Matching CertIDs between OCSP requests and responses

[Jonathan.Tuliani@symbian.com]

Jeff, all,

I believe that if something is DER, then its components should also be.
However, I'm willing to be corrected if someone else wishes to comment.

You're right in your observations that people aren't as strict as they
might be in how they write the specifications.  I have certainly found the
phrasing in certain areas unclear or ambiguous.  This is also true of how
the specifications are then implemented - I've found several minor
transgressions of RFC 2456/2560 that simply required me to relax our code a
little.

On the whole, DER is what people are using, so you'd be best to stick to
that.  My advice would be that as far as is possible (and safe) you should
be strict in what you encode, and generous in what you decode.  And there
is no substitute for interoperability testing.

Jonathan
------------
Dr Jonathan Tuliani
www.symbian.com




                                                                                                                      
                    Jeff Jacoby                                                                                       
                    <jjacoby@rsasec        To:     ietf-pkix@imc.org                                                  
                    urity.com>             cc:                                                                        
                                           Subject:     Re: Matching CertIDs between OCSP requests and responses      
                    20/03/01 16:17                                                                                    
                                                                                                                      
                                                                                                                      




Jonathan,

[some snippage]

Reading both 2560 and the draft for v2, I see this regarding DER
encoding:

 1. Before calculainting hashs and signatures DER is specified in
    various sections

 2. In section 4.1.1 Request Syntax,  aside from items noted in 1.
above,
    there is no other mention of a DER encoding requirment for requests
or
    any part of the request

 3. In section 4.2.1 ASN.1 Specification of the OCSP Response, there is
    an explicit statement that DER shall be used for encoding of
BasicOCSPResonse

 4. Appendix A OCSP over HTTP, there are explicit statements that DER is
to
    be used (but no use of "SHALL" or "MUST") for both request and
responses


On point 3 alone -- and this may show off my ignorance of ASN.1 -- does
saying
that BasicOCSPResponse must be DER encoded ALSO mean all subbordinate
components
must be DER encoded as well?

On points 2 and 4 together, it seems that if I use another transport
protocol
I'm allowed to encode my requests in BER.  Is this right?

Jeff





**********************************************************************
Symbian Ltd is a company registered in England and Wales with registered number 01796587 and registered office at 19 Harcourt Street, London, W1H 4HF, UK.
This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify postmaster@symbian.com and delete the message and any attachments accompanying it immediately. Symbian does not accept liability for any corruption, interception, amendment, tampering or viruses occuring to this message in transit or for any message sent by its employees which is not in compliance with Symbian corporate policy.
**********************************************************************