[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: comments on client auth
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
> Given SDSI certs are AS COMPLEX an encoding as X.509 DER,
> there is essentially no difference to implementors, here,
> when faced with a scratch implementation effort.
> This is not at all clear. I enjoy programming in Lisp and Scheme,
> while I find dealing with ASN.1 to be like pulling teeth. I find that
> S-expressions are *much* easier to work with than ASN.1..
Which is the false argument put forward for so long that
X.509 is something to do with ASN.1 programming.
I said X.509 DER, not ASN.1. But then, why dont we misrepresent;
its makes argument easier to win.
DER's design is tied closely to that of ASN.1. One cannot rationally
discuss the design of DER without also discussing the design of ASN.1.
X.509 is specified using a complex subset of ASN.1, using features
like SET, CHOICE, OPTIONAL, context-dependant tags, etc.,
Consequently, the X.509 DER must also be overly complex...
The DER encoding rules are semantically equivalent to S-expression
Are we talking about the same thing here? SDSI uses ASCII for its
external representation. Even though it includes an escape into pure
binary (verbatim-mode octet strings) for bulk data, all the structural
framing is done using ASCII.
and strucutrally very very very similar.
DER is significantly more complex structurally. It uses binary
variable-length fields (including variable-length tags and
variable-length-lengths, and a length-of-length-of-length bit). It's
got a complex two-level variable-length binary tagging scheme on
*every* *single* *field*, and a variable-length length.
Context-dependant tags, when present, are in binary; a field with a
context-dependant tag is double-tagged, with two different lengths in
When debugging, you either need special tools (how many debuggers have
a DER-decode function?) or a hex dump, a lot of patience, and a copy
of Kaliski's Layman's Guide *just to find* the field you want to look
In contrast, with SDSI it appears that, for the most part, you can
find a field of interest in a structure just by dumping it in ASCII.
Field tags are human-readable strings.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----