Re: X.509 Extensions Enhancements

["Hoyt L. Kesterson II" <hoytkesterson@earthlink.net>]

Re: X.509 Extensions Enhancements

from clause 7 of x.509

If unkown elements appear within the extension, and the extension is not marked critical, those unknown elements shall be ignored according to the rules of extensibility documented in 7.5.2.2 in ITU-T Rec. X.519 | ISO/IEC 9594-5.

   hoyt

At 10:31 AM +1000 6/13/01, Dean Povey wrote:

>
>Russ,
>
>Thank you for pointing this out.  I had seen the flags in X.509 but
>didn't realize that they had not been incorporated into "son".
>
>But I have a comment concerning the DER encoding of the named bit string.
>Some people interpret X.680/690 as requiring that the DER encoding
>omit trailing zeros from such a named bit string.  I (with some concurrence
>from the X.509 folks) believe that this is an error.  X.680/690 say that
>trailing UNUSED bits are to be omitted. 

I am pretty sure it says to omit trailing zeros in bit fields, this means
that the DER in old implementations and new implementations will be the
same as it should be (although there are a very large number of vendors who
get this wrong and include trailing zeros (particularly in the KeyUsage
extension.  If you are being strict about DER then you probably can't
interoperate with anyone anyway :-).

But I'll restrain myself from grumbling about changing an extension syntax
and not changing the OID. This will break so many old implementations
unecessarily because while they could safely ignore non-critical extensions
that they don't understand, they are probably going to complain if they
parse extensions they recognise and find they contain data they don't
expect.

Oops, that wasn't showing much restraint was it :-).

--
Dean Povey,         | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit
Research Scientist  | ph:  +61 7 3864 5120   | uPKI: C PKI toolkit for embedded
Security Unit, DSTC | fax: +61 7 3864 1282   |       systems
Brisbane, Australia | www: security.dstc.com |