Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

[Stephen Kent <kent@bbn.com>]

At 8:10 AM -0600 1/5/09, Timothy J. Miller wrote:
>Ben Laurie wrote:
>
>>I am not suggesting that we should fix X.509, I am pointing out, in my
>>own roundabout way, that X.509 certs are supposed to have a canonical
>>form. But it seems they do not.
>
>That was last month's major discussion on PKIX.  The upshot: there's 
>no canonical form other than what's in memory.
>
>-- Tim

Tim,

Your response is an oversimplification, in several respects.

Ben's comment was a bit ill-formed. It's not that certs in general do 
or do not have a canonical form, but whether a given cert has a 
canonical representation. If the cert has no extensions, then it 
does. If it has extensions, then since the top level extension syntax 
is a SEQUENCE, there the order of extensions in that sequence (when 
the cert was signed) is definitive. (if that syntax had called for a 
SET, then  DER encoding would impose an order at this level, so use 
of the SEQUENCE construct here make life a bit easier.)

The context in which there is some disagreement is whether an 
extension needs to be DER encoded below the next level, where it is 
defined as an OCTET string. If one stops at the OCTET string level, 
the  life is easy and an RP can always encode to DER upon receipt 
(since the base cert format IS known by all RPs and they are 
technically capable of encoding it in DER).

If one interprets X.509 to require DER for the lower levels of the 
structure of a cert extension, then a problem can arise. It was noted 
that a non-critical extension (which therefore ought not be rejected 
out of hand by an RP) might have a syntax unknown to an RP. Thus the 
RP needs to assume that what it received is DER encoded when 
computing the signature, as it has no way to recompute the DER.

Steve
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag