nessett@OCFMAIL.OCF.LLNL.GOV (Danny Nessett) (08/08/90)
Recently I was made aware of a requirement in X509 that SIGNED or SIGNATURE data values force certain restrictions on the Basic Encoding Rules used to encode them (see section 8.7 in the X509 document). After reading the relevant restrictions, I almost fainted. Instead of defining a new encoding of the ASN.1 abstract syntax to parallel BER, the X509 authors break the layering of the presentation level by their requirements (i.e., an application protocol now specifies that certain BER encodings are illegal). How is it possible that this egregious violation of ISO layering made it past the standards review process? Is there anyone on this list who has the inside scoop on this nightmare? Dan Nessett
csi@otter.hpl.hp.com (Colin I'Anson) (08/15/90)
Yes, your analysis is correct with the X.509 macros that use cryptographic manipulations on the encoded ASN.1. At the time there was no alternative other than to invent a new type of ASN.1 encoding that would ensure the digitial signature operation would work. Although this appears like a defect, it is a pointer to the new encoding rules that are being worked on. I can't remember all the names but there will be one to deal with the problem X.509 identified. The method used will probably not satisify the religious zealots but I can verify from experience that you can build a practical X.400 (1988) secure messaging system using these macros and associated encoding rule restrictions. Colin I'Anson - HP Labs Bristol