Re: OCSP and issuerNameHash (was: Object names)

[Richard Levitte - VMS Whacker]

From: Michael **UNKNOWN CHARSET** <[EMAIL PROTECTED]>

michael> > Have you read RFC2560 properly?  You can have responders that answer
michael> > for other CA's.  Multiple CA's even.
michael> 
michael> I know that. But is the DER-encoding of the issuerName always
michael> the same?

It's supposed to be encoded in ascending lexicographic order, at least
according to the Layman's Guid to a Subset of ASN.1, BER and DER.

michael> IMHO at least this type definition containing SET OF might
michael> lead to different DER-encodings (and therefore different
michael> issuerNameHash values) of equivalent issuer names if the
michael> RelativeDistinguishedName is reordered.

You know, if we couldn't assume that the order would be maintained,
we'd be in a lot of trouble, since the full verification of a
certificate is done by matching one cert's issuer with another cert's
subject.  Unless we can assume that the same order will be preserved,
verification would be impossible.  Think about it, a DN can have
multiple RDNs of the same type.  Does DC ring a bell?

-- 
Richard Levitte   \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]