[cabfpub] ASN.1 Default Values
Erwann Abalea
erwann.abalea at keynectis.com
Fri Apr 4 12:25:50 UTC 2014
What is more concerning is that the IssuingDistributionPoint extension
of your CRLs isn't critical.
This is a MUST, and there are security reasons behind it.
--
Erwann ABALEA
Le 04/04/2014 12:12, Enric Castillo a écrit :
> Hi,
>
> We've received recently a bug from one of our partners, about a bad
> encoding of our CRL, specifically the value onlyContainsCACerts that
> is set "false", that has the same default value.
>
> / IssuingDistributionPoint ::= SEQUENCE {
> distributionPoint [0] DistributionPointName OPTIONAL,
> onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE,
> onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE,
> onlySomeReasons [3] ReasonFlags OPTIONAL,
> indirectCRL [4] BOOLEAN DEFAULT FALSE,
> onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
>
> -- at most one of onlyContainsUserCerts, onlyContainsCACerts,
> -- and onlyContainsAttributeCerts may be set to TRUE./
>
> I've read the ASN.1 Encoding Rules (
> http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf ):
> /11.5 Set and sequence components with default value
> The encoding of a set value or sequence value shall not
> include an encoding for any component value which is equal to its
> default value.
> /
>
> Then, our CRL is wrong.
>
> Also I've saw that a recent bugzila (
> https://bugzilla.mozilla.org/show_bug.cgi?id=988633 ) was opened to
> discuss a similar trouble, in terms that also affect ANF AC, because
> the basic constraints are being malformated also. It seems that is a
> common badformating, both certificates and CRL of many CA/B Forum members.
>
>
> The reason why we included this fields is to emphasize some field that
> we think that are important.
>
> What position takes CA/B Forum?
>
>
> Thanks,
> Enric
> --
>
> ANF Autoridad de Certificación
>
> *Enric Castillo*
> Departamento de Ingeniería
> ANF Autoridad de Certificación
> enric.castillo at anf.es <mailto:enric.castillo at anf.es>
> www.anf.es <https://www.anf.es>
>
> *Aviso*
>
> Este mensaje se dirige exclusivamente a su destinatario y puede
> contener información privilegiada o confidencial y/o datos de carácter
> personal, cuya difusión está regulada por la Ley Orgánica de
> Protección de Datos y la Ley de Servicios de la Sociedad de la
> Información. Si usted no es el destinatario indicado (o el responsable
> de la entrega al mismo), no debe copiar o entregar este mensaje a
> terceros bajo ningún concepto. Si ha recibido este mensaje por error o
> lo ha conseguido por otros medios, le rogamos que nos lo comunique
> inmediatamente por esta misma vía y proceda a su eliminación
> irreversible. Las opiniones, conclusiones y demás informaciones
> incluidas en este mensaje que no estén relacionadas con asuntos
> profesionales de ANF Autoridad de Certificación no están respaldadas
> por la empresa.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140404/6d8b8a29/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 4746 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140404/6d8b8a29/attachment-0003.png>
More information about the Public
mailing list