[cabfpub] ASN.1 Default Values

Erwann Abalea erwann.abalea at keynectis.com
Fri Apr 4 12:25:50 UTC 2014 

What is more concerning is that the IssuingDistributionPoint extension 
of your CRLs isn't critical.
This is a MUST, and there are security reasons behind it.

-- 
Erwann ABALEA

Le 04/04/2014 12:12, Enric Castillo a écrit :
> Hi,
>
> We've received recently a bug from one of our partners, about a bad 
> encoding of our CRL, specifically the value onlyContainsCACerts that 
> is set "false", that has the same default value.
>
> /   IssuingDistributionPoint ::= SEQUENCE {
>         distributionPoint          [0] DistributionPointName OPTIONAL,
>         onlyContainsUserCerts      [1] BOOLEAN DEFAULT FALSE,
>         onlyContainsCACerts        [2] BOOLEAN DEFAULT FALSE,
>         onlySomeReasons            [3] ReasonFlags OPTIONAL,
>         indirectCRL                [4] BOOLEAN DEFAULT FALSE,
>         onlyContainsAttributeCerts [5] BOOLEAN DEFAULT FALSE }
>
>         -- at most one of onlyContainsUserCerts, onlyContainsCACerts,
>         -- and onlyContainsAttributeCerts may be set to TRUE./
>
> I've read the ASN.1 Encoding Rules ( 
> http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf ):
> /11.5 Set and sequence components with default value
>             The encoding of a set value or sequence value shall not 
> include an encoding for any component value which is equal to its 
> default value.
> /
>
> Then, our CRL is wrong.
>
> Also I've saw that a recent bugzila ( 
> https://bugzilla.mozilla.org/show_bug.cgi?id=988633 ) was opened to 
> discuss a similar trouble, in terms that also affect ANF AC, because 
> the basic constraints are being malformated also. It seems that is a 
> common badformating, both certificates and CRL of many CA/B Forum members.
>
>
> The reason why we included this fields is to emphasize some field that 
> we think that are important.
>
> What position takes CA/B Forum?
>
>
> Thanks,
> Enric
> -- 
>
> ANF Autoridad de Certificación
>
> *Enric Castillo*
> Departamento de Ingeniería
> ANF Autoridad de Certificación
> enric.castillo at anf.es <mailto:enric.castillo at anf.es>
> www.anf.es <https://www.anf.es>
>
> *Aviso*
>
> Este mensaje se dirige exclusivamente a su destinatario y puede 
> contener información privilegiada o confidencial y/o datos de carácter 
> personal, cuya difusión está regulada por la Ley Orgánica de 
> Protección de Datos y la Ley de Servicios de la Sociedad de la 
> Información. Si usted no es el destinatario indicado (o el responsable 
> de la entrega al mismo), no debe copiar o entregar este mensaje a 
> terceros bajo ningún concepto. Si ha recibido este mensaje por error o 
> lo ha conseguido por otros medios, le rogamos que nos lo comunique 
> inmediatamente por esta misma vía y proceda a su eliminación 
> irreversible. Las opiniones, conclusiones y demás informaciones 
> incluidas en este mensaje que no estén relacionadas con asuntos 
> profesionales de ANF Autoridad de Certificación no están respaldadas 
> por la empresa.
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140404/6d8b8a29/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 4746 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140404/6d8b8a29/attachment-0003.png>

More information about the Public mailing list