[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some concerns about last IKEv2 draft



 In your previous mail you wrote:

   On Wed, Sep 10, 2003 at 06:30:19PM +0200, Francis Dupont wrote:
   > I have some concerns about the draft-ietf-ipsec-ikev2-10.txt document:
   > 
   >  - in 3.6 Certificate Payload:
   > 
   >       Hash and URL of PKIX bundle (13) contains a 20 octet SHA-1 hash of
   >       a PKIX certificate bundle followed by a variable length URL the
   >       resolves to the BER encoded certificate bundle itself. The bundle
   >       is a BER encoded SEQUENCE of certificates and CRLs.
   > 
   >  => this is an underspecified ASN.1 type: some tagging is needed,
   >     for instance by adding:
   >     ", respectively with implicit tags 0 and 1".
   
   To be fair to the draft, it didn't claim that this is an ASN.1 type, it
   just specifies the use of BER.
   
=> hum, BER and SEQUENCE are ASN.1 words... Do you argue the document
should specify ASN.1?

   That said, there are at least to problems here: a) the first sentence of
   the paragraph you quote is grammatically incorrect

=> a) not my fault, b) please propose a better one.

   and b) it should use
   DER or CER instead of BER (since there's multiple ways to encode an ASN.1
   SEQUENCE in BER, but one should generally use a definite encoding to
   encode inputs to hash functions).
   
=> no, I believed the same thing but DER is not needed at all.
Of course, as DER is a subset of BER, IMHO we'll always get DER...

   Further, it would be preferable to give the ASN.1 syntax for this
   SEQUENCE, which means getting the tagging right, as you point out.
   
=> IMHO we should reduce the ASN.1 specifications in the document to
the minimum. My concern is we are (were!) below this minimum.

Thanks

Francis.Dupont@xxxxxxxxxxxxxxxx