RE: Certificate = DER ?

> I think I'm ok with this but I don't think we should be any more
> specific, such as stating the DER encoded certificate MUST be 100%
> compliant with PKIX/RFC 5280. (I don't think this is what you are
> suggesting, but I think it is worth mentioning just in case).

No, I'm definitely not suggesting that, and I agree with that. I am in favor
of as few dependencies on 5280 as possible, simply because so many things
that depend on dsig and the use of certificates that are nominally "X.509"
don't have any intention of actually following PKIX to any significant
degree.

-- Scott

Received on Monday, 10 November 2008 21:03:56 UTC