> On 9. Oct 2025, at 19:59, Phillip Hallam-Baker <[email protected]> wrote: > > If you are going to replace DER with CBOR, fine. DER is probably the single > biggest reason for hatred of ASN.1. The problem being you have to encode > nested variants.
Fine. So no further discussion is needed. > > But that goes away if you are going to take a DER encoded certificate and > convert it to CBOR for 'compression'. Once you do that, you have to > reconstruct the original DER to validate the signature. And those of us who > know DER are saying that is an absolute horror show. > > The only way to efficiently encode DER is to write yourself a custom buffer > class that allows you to start at the end of the structure and work > backwards. And even then you have to sort sets. That isn't a problem for > most of the TLS world because most certificates come from special snowflakes > that have to get themselves $250K audits and such and nobody really checks to > see if the certs are really DER in any case. > > If you are trying to use CBOR to compress existing PKIX certs, every relying > party is going to have to do the ASN.1 DER encoding rules to validate > signatures. Yes. The relying party needs to understand both C509 and ASN.1 DER encoding rules to reconstruct the TBSCertificate for the signature verification. This is the cost to have smaller transport size.
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
