mace-opensaml-users - Re: [OpenSAML] encoding an X.509 certificate
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [OpenSAML] encoding an X.509 certificate
- Date: Wed, 05 Nov 2008 15:02:43 +0100
- Openpgp: id=146B2514
- Organization: SWITCH
A certificate can never be encoded in DER format and within content of
an XML element. You can either have semi-PEM (DER-encoded that is then
Base64 encoded) or true PEM encoded (DER-encoded that is Base64 encoded
plus appropriate headers). Pretty sure the OpenSAML library handles
either semi-PEM and true-PEM formats (PKCS8 is a subset of this). It
does also handle DER, but as I said, you can't put that in as the
contents of an XML element.
Tom Scavo wrote:
> Currently there are three profiles before the OASIS Security Services
> Technical Committee (SSTC) that rely on XML elements of the form:
>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:X509Data>
> <ds:X509Certificate>
> MIIDuDCC...
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
>
> Interestingly, the above element has sparked a vigorous debate within
> the SSTC, which has spread to the W3C XML Signature WG. The issue
> involves the ASN.1 encoding of the underlying certificate.
> Specifically, should the certificate be DER-encoded or should the
> encoding be left unspecified?
>
> So my question is: If you were given an X.509 certificate of unknown
> encoding, could you determine the encoding by simply inspecting the
> bytes? Does the OpenSAML library support such a function?
>
> Thanks for shedding some light on this issue.
>
> Tom
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- encoding an X.509 certificate, Tom Scavo, 11/05/2008
- Re: [OpenSAML] encoding an X.509 certificate, Chad La Joie, 11/05/2008
- RE: [OpenSAML] encoding an X.509 certificate, Scott Cantor, 11/05/2008
- Message not available
- Re: [OpenSAML] encoding an X.509 certificate, Tom Scavo, 11/05/2008
- RE: [OpenSAML] encoding an X.509 certificate, Scott Cantor, 11/05/2008
- Re: [OpenSAML] encoding an X.509 certificate, Tom Scavo, 11/05/2008
- Re: [OpenSAML] encoding an X.509 certificate, Chad La Joie, 11/05/2008
Archive powered by MHonArc 2.6.16.