Encoding of crlDistributionPoints

Thu, 9 Sep 1999 07:30:52 -0700 

Looking at a Versign Certificate we stumbled today upon what we think is
an non standard (should I say wrong ?) way of encoding
crlDistributionPoint. We found that Openssl (using 0.9.3a for testing)
displays and generates this extension in the same format, deviating from
the specified standard syntax found in various specifications like
(probably in the order of appearance): X.509, PKIX, Mailtrust V2, and
SigI (the latter two specifications are german specifications derived
from PKIX). The standard syntax is to encode crlDistributionPoints as 

CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint

   DistributionPoint ::= SEQUENCE {
        distributionPoint       [0]     DistributionPointName OPTIONAL,
        reasons                 [1]     ReasonFlags OPTIONAL,
        cRLIssuer               [2]     GeneralNames OPTIONAL }

   DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralNames,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

[taken from draft-ietf-pkix-ipki-part1-10.txt]

However, the encodings investigated encode the "DistributionPointName"
as

DistributionPointName ::= CHOICE {
        fullName                [0]     GeneralName,
        nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

that is, "fullName" is not a sequence of GeneralName but only one
GeneralName.

Semantically it is not necessary to allow more then one GeneralName in
the fullName field. However, as every document is specifying the
sequence here we are in doubt whether we are looking at a typo in our
documents (which probably propagated from X.509 over PKIX into the
german standards) or at another "Verisign X.509" feature like improper
encoding of T61STRINGs and so on.

Or am I missing something ?

----------------------------------------------------------------------- 
Olaf Schl�ter
Gesch�ftsfeld Netzwerksicherheit
Giesecke & Devrient GmbH   
Prinzregentenstr. 159   D-81607 Muenchen     
Telefon 089/4119-2531    Fax 089/4119-2490   
Email: [EMAIL PROTECTED]
World Wide Web: http://www.gdm.de
----------------------------------------------------------------------- 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to