http://stupid.domain.name/ietf/

One document matched: draft-ietf-ipsec-dss-cert-00.txt
The standard extensions are described in Amendment 1 to ITU Rec. X.509 (1993) 
| ISO/IEC 9594-8 : 1995.  A subset of extension will need to be chosen 
for this profile.  The extensions field allows addition of new fields 
to the certificate structure without modification to the ASN.1 definition.  
An extension field consists of an extension object identifier, 
a criticality flag, and a canonical encoding of a data value of an 
ASN.1 type associated with the object identifier already specified. 
 
When a system processes a certificate but does not recognize an 
extension, if the criticality flag is FALSE, the extension may be 
ignored and the remainder of the certificate information may be 
processed as valid.  If the criticality flag is TRUE, an unrecognized 
extension shall cause the system to consider the entire certificate invalid. 
 
3. An overview of the use of the Distinguished Encoding Rules (DER) in 
   Certificate Signature Operations. 
 
(1) Sign; The signing application converts the abstract value 
(or internal representation) of the certificate information into a bit 
representation using the DER and signs that bit representation.  
The signature is then appended onto the abstract value, and both values 
are then BER 
(Basic Encoding Rules) encoded to provide a transfer syntax.  The same 
encoder used to apply the DER may be used to apply the transfer 
syntax, so the transfer syntax can also follow the DER. 
 
(2) Authenticate; The authenticating application will decode the received 
certificate (containing the certificate information and issuer signature).  
This application will then have an abstract value for both the 
certificate information and a signature.  The application will then take the 
resulting abstract value of the certificate information and re-encode it 
using the DER to produce the same bit representation that was signed.   
The received signature can now be authenticated using the exact bitstring 
representation used in the signing operation. 
 
When the DER are applied to information, before that information is signed,
the authentication operation (also applying the DER) will always detect if 
that information has been modified and the incidence of false 
authentication failures is greatly reduced. 
 
4. Security Considerations 
 
Security issues are not discussed in this document 
 
5. References 
 
[1] CCITT Recommendation X.208 (1992),  "Abstract Syntax Notation One" 
 
[2] CCITT Recommendation X.509 (1988),  "The Directory - Authentication 
    Framework" 
 
[3] FIPS 186  Digital Signature Standard 


Author's Address(es)

Questions about this can be directed to:


John Kennedy
CYLINK Corporation
jkennedy@cylink.com
408-735-5885

John Marchioni
CYLINK Corporation
johnmarc@cylink.com
408-735-5800
PAFTECH AB 2003-2026
2026-04-21 09:27:52