Are X.509 parsers supposed to check that the input is valid DER (as opposed to BER)? I haven't been able to find any implementation that does this. cc @BRIAN_____
Also, people are working on a DN parser for webpki. What's the (security) advantage to validating set ordering? Does it allow the user of the library to make any useful (effort-saving or otherwise) assumptions?
-
-
Technically, if you accept BER, a DN comparison (for e.g. chain building) is not just a simple memcmp
-
It's true that you could have false negatives (certificate validation fails when it ought to succeed) but you'll never have false positives. If the CA follows good practices issues and subjects will always match byte-for-byte.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.