OpenSAML user discussion

[Chad La Joie <>]

A certificate can never be encoded in DER format and within content of
an XML element.  You can either have semi-PEM (DER-encoded that is then
Base64 encoded) or true PEM encoded (DER-encoded that is Base64 encoded
plus appropriate headers).  Pretty sure the OpenSAML library handles
either semi-PEM and true-PEM formats (PKCS8 is a subset of this).  It
does also handle DER, but as I said, you can't put that in as the
contents of an XML element.

Tom Scavo wrote:
> Currently there are three profiles before the OASIS Security Services
> Technical Committee (SSTC) that rely on XML elements of the form:
> 
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>  <ds:X509Data>
>   <ds:X509Certificate>
> MIIDuDCC...
>   </ds:X509Certificate>
>  </ds:X509Data>
> </ds:KeyInfo>
> 
> Interestingly, the above element has sparked a vigorous debate within
> the SSTC, which has spread to the W3C XML Signature WG.  The issue
> involves the ASN.1 encoding of the underlying certificate.
> Specifically, should the certificate be DER-encoded or should the
> encoding be left unspecified?
> 
> So my question is:  If you were given an X.509 certificate of unknown
> encoding, could you determine the encoding by simply inspecting the
> bytes?  Does the OpenSAML library support such a function?
> 
> Thanks for shedding some light on this issue.
> 
> Tom

-- 
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch