[cap-talk] Curious certificate expiration policy in Firefox
Tyler Close
tyler.close at gmail.com
Mon Oct 8 17:43:50 EDT 2007
Yikes, the Gutmann document is scary. The XML <=> ASN.1 folks must
have lots of fun.
It didn't cover one oddity I found when trying to replicate the output
of the JDK's keytool. That program prefixes the certificate signature
with a zero byte. The signature is defined to be of type BITSTRING.
Gutmann talks about prefixing an INTEGER, so as to encode the sign
bit, but doesn't say anyting about prefixing a BITSTRING. Any idea
what's going on there? Any likely problems if I just automatically
dump an extra zero byte onto the start of every signature?
Thanks,
--Tyler
On 10/8/07, Jack Lloyd <lloyd at randombit.net> wrote:
> On Mon, Oct 08, 2007 at 03:00:06PM -0400, Jack Lloyd wrote:
>
> > FWIW, the PKIX RFCs are much (MUCH) more readable than the
> > ISO-produced X.509 docs. Peter Guttman wrote a pretty good (if
> > somewhat cynical) implementors guide that might be helpful.
>
> Thinko, Peter's last name is actually Gutmann.
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/
More information about the cap-talk
mailing list