Re: [Trans] [trans] #34 (rfc6962-bis): use of RFC 5246 syntax to define the SCT

Wed, 04 Mar 2015 03:11:26 -0800 

On 03/03/15 16:02, Russ Housley wrote:
<snip>

At the time that certificate extensions were invented, the OCTET STRING wrapper 
was used so that the ASN.1 decode would not fail if an unsupported extension 
was encountered.  Some people complained about the performance hit that that 
additional wrapper imposed on universally supported extensions, but this is the 
syntax that was chosen by ITU-T in X.509 version 3.  I do not recall any 
discussion at that time about allowing the OCTET String to contain anything 
other than an ASN.1 DER encoded structure.

RFC 2459, section 4.2 says:  "Each extension includes an OID and an ASN.1 
structure."  That remains in RFC 5280.

Russ


Russ, this is how X.680 defines the OCTET STRING type:

  "3.8.55  octetstring type: A simple type whose distinguished values
           are an ordered sequence of zero, one or more octets, each
           octet being an ordered sequence of eight bits.
   ...
   23.1  The octetstring type (see 3.8.55) shall be referenced by the
         notation "OctetStringType":
           OctetStringType ::= OCTET STRING"
It seems clear to me that an OCTET STRING can contain absolutely anything. (If an OCTET STRING could only contain ASN.1 object(s), then surely that would defeat the whole point of having the OCTET STRING type in the first place?) 

Regarding your quote from RFC2459/5280:
Is "ASN.1 structure" defined somewhere? Does "structure" imply that it MUST be a constructed type such as a SEQUENCE or SET (rather than a primitive type such as OCTET STRING or INTEGER)? 
I presume not, because RFC5280 also says:

  "Extension  ::=  SEQUENCE  {
        extnID      OBJECT IDENTIFIER,
        critical    BOOLEAN DEFAULT FALSE,
        extnValue   OCTET STRING
                    -- contains the DER encoding of an ASN.1 value
                    -- corresponding to the extension type identified
                    -- by extnID
        }"

Surely an OCTET STRING _is_ "an ASN.1 value"?
BTW, the clarifications proposed by this ticket might be relevant to this discussion: 
http://trac.tools.ietf.org/wg/trans/trac/ticket/14
P.S. At least we're not trying to embed an MPEG video of a cat into a certificate field that you might expect to contain ASN.1 object(s). ;-) 
http://www.cypherpunks.to/~peter/T2a_X509_Certs.pdf (page 9)

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans

Reply via email to