-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[docs] OID information: provide more detail about the structure of each X.509 extension? #900
Comments
+1! Though I also like the idea of using ASN.1 structures for future OIDs. |
Thought a bit more about this - this is going to be driven by how easy this is to do in golang, I haven't looked yet. If implicit/inline is the default, we'll probably just keep that, I don't want to complicate parsing. Given the ASN1 structure is a single string, explicit tagging isn't needed. |
The above comment is a little incorrect! As I'm sure is a common phrase, I misunderstood ASN.1. Implicit/explicit is only relevant when the structure contains tagged fields, for example An extension sequence looks like the following (from RFC5280):
Consider this structure from a cert: https://lapo.it/asn1js/#MCkGCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbQ. This contains the extension ID and extension value. The extension value is an Proper ASN.1 would be wrapping the string in its type, for example https://lapo.it/asn1js/#MCsGCisGAQQBg78wAQEEHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29t would be the fix, wrapping the issuer in a UTF8String. I propose that we duplicate the issuer extension alongside the other work to standardize CI extensions, and mark the old issuer as deprecated. |
That makes sense to me! FWIW, I still think we could save ourselves some future migration pain by switching to a single X.509 extension for all embedded claims, e.g. something like: ClaimsExtension :: SEQUENCE {
version INTEGER,
claims Claims,
}
Claims ::= SET OF Claim
Claim ::= SEQUENCE {
id OBJECT IDENTIFIER,
value ANY DEFINED BY id,
} ...where (This avoids the problem in #981 by punting on whether any such extension should be marked as critical.) |
I was perusing the oid-info doc for the nth time, and I noticed that we don't currently explicitly specify how each OID-identified X.509v3 extension is laid out.
For example:
In particular, it might make sense to clarify that each of our extensions is (currently) laid out "inline", rather than being a nested ASN.1 structure containing the string or other data.
The text was updated successfully, but these errors were encountered: