Re: PEM vs. DER

Fri, 5 Mar 1999 15:10:33 -0500 

On Fri, Mar 05, 1999, [EMAIL PROTECTED] wrote:

> "Ralf S. Engelschall" <[EMAIL PROTECTED]> writes:
> 
> [snip]
> > Ok, sounds like a reasonable suggestion. But do you want DER+Base64 or just
> > plain DER? Because DER is a binary format while DER+Base64 is the binary plus
> > Base64 transformed and PEM is actually DER+Base64+Header/Footer. So, what
> > exactly do you understand under "DER Base64"? Do you want plain DER or really
> > DER+Base64?
> 
> I defer to our resident munitions expert, Marc VanHeyningen...
> 
> <blockquote>
> We try to be liberal in what we accept, so we can read plain DER as well as 
> DER+Base64 in many cases; for example, trusted roots can be specified in
> either, but if it's plain DER there isn't any good way to specify >1 root
> while DER+Base64 makes it easy to have multiple roots, look at them, cut and
> paste them, etc.
> 
> Credentials files (socks5.certs and friends), simiarly, have to contain 
> multiple objects (private key, certificate chain of >1 certificate) and so
> the easiest way to store those multiple objects with labels of which is what
> is by using base64 with ----BEGIN FOO----- headers and footers.  This also
> makes it easier to sanity check files by looking at them in text editors,
> reduces headaches with customers who occasionally have to email those files
> to support, etc.  Obviously it makes the files slightly larger but that 
> seems a small price to pay.
> 
> Unless I'm misunderstanding him, I disagree with his assertion that PEM is
> "just" DER + base64 + header/footer; the headers/footers added by PEM are
> more complex than what we use, and what exactly goes in the DER is often
> a bit different, assuming he means the DER of the PKCS stuff rather than
> the PEM stuff.  Our private key, for instance, is stored per PKCS#5/8,
> not per any PEM standard; certificates are raw X.509 DERs,
> base64-encoded with -----BEGIN CERTIFICATE----- thrown in front.
> </blockquote>

Ok, ok, when I understand you correctly, you want that mod_ssl can read any
combination.... Let's see what I can do.

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to