On Fri, Oct 10, 2025 at 12:29 PM Tim Hollebeek <tim.hollebeek= [email protected]> wrote:
> I mean, this is a definitional thing, so there is no right answer, but > C509 is so close that I think trying to be a purist and claiming they are > not X.509 just because they are not ASN.1 encoded will cause more problems > than it solves. > But they are ASN.1 encoded, just using CBOR Encoding Rules instead of DER. The only thing I am objecting to here is the attempt to use this as a compression scheme for DER signed certs. Just erase that from the specification and I am happy. Seeing C509 just as an alternative encoding for traditional ASN.1 certs, > and that both of them basically encode the same X.509 profile(s) and follow > similar rules makes more sense to me. So I would put them under the general > PKIX umbrella. > No problem with that. > It will also be easier to convince people to adopt them if people realize > it’s just a different (and better!) encoding for the thing they already > know and pretend to love. > I would probably not propose this encoding to CABForum any time soon. But I can see it being a lot easier to argue for using PKIX-C certs in the SSH, code signing and OpenPGP community than the DER kind. > -Tim > > > > *From:* Göran Selander <[email protected]> > *Sent:* Wednesday, October 8, 2025 9:56 AM > *To:* Tschofenig, Hannes <[email protected]>; Sipos, Brian J. < > [email protected]>; [email protected] > *Subject:* [COSE] Re: The term "PKIX" and C509 > > > > > > Hi, > > > > C509 defines an invertible CBOR re-encoding of DER encoded X.509 > certificates, which supports large commonly used parts of RFC 5280 > including RFC 7925, IEEE 802.1AR, CAB Baseline, RPKI, and eUICC profiled > X.509 certificates. > > > > This doesn’t make C509 into X.509. But since the mapping can be reversed > to obtain the original DER encoded X.509 certificate it can be used as a > compact representation of X.509 certificates within the PKIX infrastructure. > > > > Hope that helps! > > > > Göran > > > > > > *From: *Tschofenig, Hannes <[email protected]> > *Date: *Wednesday, 8 October 2025 at 15:22 > *To: *Sipos, Brian J. <[email protected]>, [email protected] < > [email protected]> > *Subject: *[COSE] Re: The term "PKIX" and C509 > > Hi Brian! > > > > The term PKIX stands for Public-Key Infrastructure using X.509. Using it > to refer to other technologies that do not use the same encoding as X.509 > certificates is likely to cause confusion. Note that PKIX also refers to > the entire infrastructure – not just the format of the cert. > > > > Just my two cents. > > > > Ciao > > Hannes > > > > *Von:* Sipos, Brian J. <[email protected]> > *Gesendet:* Mittwoch, 8. Oktober 2025 15:00 > *An:* [email protected] > *Betreff:* [COSE] The term "PKIX" and C509 > > > > WG, > > >From the perspective of a user or a profile specification allowing the > use of X509 and C509 in, for example, COSE messages has there been any > discussion about terminology in the sense of the following: > > Is it expected that the term “PKIX” will exclusively refer to X.509 as > defined in RFC 5280? Or will PKIX be an umbrella term to include C509 as an > equivalent encoding of the same information model? Possibly “public key > certificate” is a better general purpose term, though a little more narrow > in scope (a single credential) than what PKIX would imply (the whole PKI). > > > > Any thoughts about this? > > Brian S. > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
