"Ralf S. Engelschall" <[EMAIL PROTECTED]> writes:
[snip]
> Ok, sounds like a reasonable suggestion. But do you want DER+Base64 or just
> plain DER? Because DER is a binary format while DER+Base64 is the binary plus
> Base64 transformed and PEM is actually DER+Base64+Header/Footer. So, what
> exactly do you understand under "DER Base64"? Do you want plain DER or really
> DER+Base64?
I defer to our resident munitions expert, Marc VanHeyningen...
<blockquote>
We try to be liberal in what we accept, so we can read plain DER as well as
DER+Base64 in many cases; for example, trusted roots can be specified in
either, but if it's plain DER there isn't any good way to specify >1 root
while DER+Base64 makes it easy to have multiple roots, look at them, cut and
paste them, etc.
Credentials files (socks5.certs and friends), simiarly, have to contain
multiple objects (private key, certificate chain of >1 certificate) and so
the easiest way to store those multiple objects with labels of which is what
is by using base64 with ----BEGIN FOO----- headers and footers. This also
makes it easier to sanity check files by looking at them in text editors,
reduces headaches with customers who occasionally have to email those files
to support, etc. Obviously it makes the files slightly larger but that
seems a small price to pay.
Unless I'm misunderstanding him, I disagree with his assertion that PEM is
"just" DER + base64 + header/footer; the headers/footers added by PEM are
more complex than what we use, and what exactly goes in the DER is often
a bit different, assuming he means the DER of the PKCS stuff rather than
the PEM stuff. Our private key, for instance, is stored per PKCS#5/8,
not per any PEM standard; certificates are raw X.509 DERs,
base64-encoded with -----BEGIN CERTIFICATE----- thrown in front.
</blockquote>
-Tom
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
