[Cryptography] Is ASN.1 still the thing?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Nov 17 05:14:10 EST 2017

Nico Williams <nico at cryptonector.com> writes:

>If this is what relying parties do, then maybe it's time to update PKIX to
>say that TBSCertificate MUST be encoded in DER and drop the language about
>having to [re-]encode in DER before verifying the signature.

Pretty much every implementer [0] knows this already, because things break if
you do it the way PKIX says.

>Sometimes the spec has to reflect reality.

The PKIX spec has a long and proud history of ignoring reality.  See many,
many discussions on the PKIX list, particularly in the period 2000-2005 or so,
on this.

It's really not the best example to choose if you're going to push for a
standard that reflects a view of the real world :-).


[0] I'm hedging my bets here, I should say "everyone" but I'm sure someone
    will drag up an example from North Korea or somewhere where someone wasn't
    aware of which bits of the PKIX spec you needed to ignore to make it work.

More information about the cryptography mailing list