IETF Logo Mail Archive

Re: [saag] ASN.1 vs. DER Encoding

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 23 April 2019 15:08 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB20912041E for <saag@ietfa.amsl.com>; Tue, 23 Apr 2019 08:08:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0w3z8zAeURds for <saag@ietfa.amsl.com>; Tue, 23 Apr 2019 08:08:17 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32A6D120337 for <saag@ietf.org>; Tue, 23 Apr 2019 08:08:15 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [IPv6:2607:f0b0:f:40::aef]) by relay.sandelman.ca (Postfix) with ESMTPS id A9C331F457; Tue, 23 Apr 2019 15:08:13 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id C5FCD1B23; Tue, 23 Apr 2019 11:08:23 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Nico Williams <nico@cryptonector.com>
cc: Russ Housley <housley@vigilsec.com>, IETF SAAG <saag@ietf.org>
In-reply-to: <20190423035415.GG3137@localhost>
References: <20190326214816.GB4211@localhost> <1553679912618.8510@cs.auckland.ac.nz> <20190327151545.GG4211@localhost> <20190330153101.GT35679@kduck.mit.edu> <C3D9DD15-AB23-4B42-BA61-A4E4CD826B77@huitema.net> <F6387640-20F3-4B3C-8E61-58CAF7828CA1@tzi.org> <269bee5d-e225-3484-04ed-3e5de6c19081@cs.tcd.ie> <CAMm+Lwi1pNje_9HMYnf-gQN8scggQDTUB0z0uCsy9trtaYKBsg@mail.gmail.com> <20190422211449.GD3137@localhost> <233FB845-976C-49CA-ADA6-C97035A2426F@vigilsec.com> <20190423035415.GG3137@localhost>
Comments: In-reply-to Nico Williams <nico@cryptonector.com> message dated "Mon, 22 Apr 2019 22:54:16 -0500."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 23 Apr 2019 11:08:23 -0400
Message-ID: <6958.1556032103@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/VnZUPaHmtlWYmGbrhQhJhk0iTOg>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 15:08:20 -0000

    >> X.500 one are used in certificates.  I strongly encourage people to
    >> keep it simple.  The bits on the wire sitll get too complicated, but
    >> the code can mostly do exact match processing.

    > To keep it simple means to leave the subjectName empty and use dNSName
    > and rfc822Name SANs instead wherever possible.

Yes, but we can't leave the IssuerDN empty, and if we want chains of
certificates (we do), then we need to put something into the subjectDN.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email