rfc 3280

Subject: rfc 3280
From: Roger Schlafly <roger@schlafly.net>
Date: Fri, 14 Nov 2003 13:43:44 -0800
Content-Type: text/plain; charset="us-ascii"; format=flowed


I have a couple of questions about complying with RFC 3280.

RFC 3280 says:
CAs MUST force the serialNumber to be a non-negative integer ...
Non-conforming CAs may issue certificates with serial numbers
that are negative, or zero.  Certificate users SHOULD be prepared to
gracefully handle such certificates.

PKITS interprets this as saying that a CRL can
revoke a cert with a serial number of -1. Why?
It seems to me that it would be graceful to
simply reject any cert or CRL with a negative
serial number, since no such cert or CRL could
be correct anyway.

What does "gracefully" mean?

RFC 3280 also says:
the sign bit in the DER encoding of the INTEGER value MUST be
zero - this can be done by adding a leading (leftmost) `00'H octet if 
necessary.
.... serial numbers can be expected to
contain long integers.  Certificate users MUST be able to handle
serialNumber values up to 20 octets in length.  Conformant CAs MUST
NOT use serialNumber values longer than 20 octets.

Is the 20 byte limit calculated before or after
adding the 00 byte? (This matters because some CAs
use a 20 byte SHA1 value instead of a serial number,
and that value may need a pad byte.)

Thanks,
Roger

Follow-Ups:
- Questions
  - From: "Jonathan Schulze-Hewett" <schulze-hewett@infoseccorp.com>
- Re: rfc 3280
  - From: "David A. Cooper" <david.cooper@nist.gov>

Prev by Date: Re: pkits.ldif and openldap
Next by Date: Re: pkits.ldif and openldap
Prev by thread: RE: Test cases 4.10.7 and 4.10.8
Next by thread: Re: rfc 3280

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov