Bonjour, 2014-09-18 0:35 GMT+02:00 Brian Smith <[email protected]>:
> On Wed, Sep 17, 2014 at 2:45 PM, Melinda Shore <[email protected]> > wrote: > > There've been a couple of proposals for alternative representation, > > including TBS (alternatively, the CertTemplate format from 4211) and > > CRMF, and there seems to be some agreement congealing around Erwann's > > summary: > > > >>IIUC, what you propose is that the PreCert is a CMS (RFC5652) with a > >>signedData content-type, for which the data is the TBSCertificate > >>(name-redacted or not, no necessary poison extension). The SignerInfo > >>refers to the PreCert issuer (CA or dedicated issuer, same as now). > > CMS is not a good format for the PreCert, because CMS is highly > complicated and unnecessarily complex for this purpose. And, in > particular, CMS is specified as a BER-encoded format, not a > DER-encoded format, BER/DER doesn't concern the payload of the CMS (here, the TBSCertificate, which will be DER encoded anyway). CMS is complex and flexible, but this complexity is already known, and it will be handled by logs+monitors+auditors only. More important, CMS is already present in the bestiary of objects that anyone involved in PKI knows. and it isn't reasonable to require implementations > to support a BER-encoded format for CT when all other things they > process are DER-encoded. In particular, some implementations may have > specialized DER decoders that cannot be practically adapted to deal > with BER. > Fine. Let's say that for the purpose of CT, the CMS SHOULD be DER encoded. Those CMS objects will still be RFC5652 compliant (DER is a subset of BER). I previously suggested an alternative syntax that would be much easier > to implement: > http://www.ietf.org/mail-archive/web/trans/current/msg00500.html > That's another solution, but it will force everyone to add this specific object to their libraries. It will require more efforts. -- Erwann.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
