W3C home > Mailing lists > Public > public-xmlsec@w3.org > November 2008

RE: Certificate = DER ?

From: Scott Cantor <cantor.2@osu.edu>
Date: Mon, 10 Nov 2008 19:06:50 -0500
To: "'Magnus Nyström'" <magnus@rsa.com>, "'XMLSec WG Public List'" <public-xmlsec@w3.org>
Message-ID: <00cb01c94391$65c3f5f0$314be1d0$@2@osu.edu>

> Another good rule of thumb is "be flexible in what you accept, be strict
> in what you send."

That doesn't justify not informing the recipient what was sent, but
regardless, for this approach to hold, what we're really saying is that such
profiling is inappropriate to do in most general specs layered on this one.
That means that implementations have to handle all the possible encodings to
be safe, and I haven't seen any sign that they do so.

> In fact, some implementations handle non-BER/DER too - simply because they
> do memcpy() and then validate, without decoding...

Whatever's doing the validating still has to decode it, or I'm not
understanding this. That's the code I'm referring to.

> It just seems to me we could end up in a strange situation if certificates
> that work perfectly well for signing email or to encrypt using S/MIME
> cannot be used for XML signatures or encryption because of strict, but
> compliant XML Sec implementations. That's why I'd prefer not to change
> things in this regard.

I don't see how we're not in that situation now. The implementation I use
certainly is, and if, say, Java in fact only supports DER (I think somebody
indicated that might be true on the pkix list), then most/all of those
implementations are also.

This is the whole point. If using non-DER/BER is going to break things, then
it's pretty appropriate IMHO to say something about it and/or fix it.

-- Scott
Received on Tuesday, 11 November 2008 00:07:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:55 GMT