Cryptography Reference
In-Depth Information
to be set if it trusts the requester to be responsible and sign other certifi cates
on behalf of the CA itself.
Summary of X.509 Certifi cates
I've covered a lot of ground in this section, and it's easy to get lost in all of the
details. To summarize: when your browser warns you about certifi cate errors,
it's referring to an X.509 certifi cate that was presented by the target web site to
identify itself. Such a certifi cate must be presented in order to guard against
man-in-the-middle attacks. An X.509 certifi cate itself is a mapping of an entity
name (e.g. a person or a website) to a public key. This mapping has a validity
period and is vouched for by a trusted entity called a certifi cate authority. As
long as all of these elements are present, you have a legitimate certifi cate. The
X.509 specifi cation takes it a step further and tells you what order they should
be stored in and what form they should take.
Transmitting Certifi cates with ASN.1 Distinguished
Encoding Rules (DER)
Quite a bit has been said so far about the abstract structure of a certifi cate without
discussing how one is actually represented in byte form. The translation of primi-
tive (ASN.1) types to byte representation is described according to a set of rules.
Technically, these rules are independent of ASN.1 itself. I mentioned earlier that
a certifi cate is the sort of thing that would probably be represented in XML these
days — there is, in fact, a set of rules to encode ASN.1 in XML format! However,
by far the most common encoding, and the one that SSL relies on, is called the
Distinguished Encoding Rules
(DER). The
distinguished
differentiates the rules from
another set called the
basic
encoding rules. Fundamentally, the distinguished
rules are more restrictive than the basic rules. For example, the basic rules allow
the encoder to use more bytes than necessary to specify lengths (if the encoder
wants all lengths to be encoded in a fi xed set of bytes, for example). For the most
part, the differences are superfi cial, and the
basic encoding rules
(BER) won't be
specifi cally covered here.
The DER describes how to format integers, strings, dates, object identifi ers, bit
strings, sequences and sets — as well as several others, but these are the ones
that are pertinent to the present discussion about X.509 certifi cates. See X.690
for a complete listing of DER encoding rules.
Encoded Values
Every encoded value is represented as a type, followed by the value's length,
followed by the actual contents of the value itself; the representation of the value
depends on the type. So, for example, the type
integer
is byte 02. DER allows
Search WWH ::
Custom Search