[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some concerns about last IKEv2 draft



On Wed, Sep 10, 2003 at 06:30:19PM +0200, Francis Dupont wrote:
> I have some concerns about the draft-ietf-ipsec-ikev2-10.txt document:
> 
>  - in 3.6 Certificate Payload:
> 
>       Hash and URL of PKIX bundle (13) contains a 20 octet SHA-1 hash of
>       a PKIX certificate bundle followed by a variable length URL the
>       resolves to the BER encoded certificate bundle itself. The bundle
>       is a BER encoded SEQUENCE of certificates and CRLs.
> 
>  => this is an underspecified ASN.1 type: some tagging is needed,
>     for instance by adding:
>     ", respectively with implicit tags 0 and 1".

To be fair to the draft, it didn't claim that this is an ASN.1 type, it
just specifies the use of BER.

That said, there are at least to problems here: a) the first sentence of
the paragraph you quote is grammatically incorrect and b) it should use
DER or CER instead of BER (since there's multiple ways to encode an ASN.1
SEQUENCE in BER, but one should generally use a definite encoding to
encode inputs to hash functions).

Further, it would be preferable to give the ASN.1 syntax for this
SEQUENCE, which means getting the tagging right, as you point out.

Cheers,

Nico
--