I was wondering if someone knows if the DER-encoding of certificates in the X.509-standard is optional or not (old versions of the ASN.1 standards seem to demand this, but newer does not mention it). Is there valid certificates with parts of them encoded in BER, or rather, is there valid certificates with inner parts (parts of tbscertificate, signatureAlgorithm or SignatureValue) using the "indefinite-length method" of BER (the only demand being that they have to be re-encoded in DER when an application wants to check validity)? Or does that always make such certificates invalid? / Fredrik
