On Tuesday, August 8, 2017 at 12:51:40 AM UTC+9, Matthew Hardeman wrote: > It is what it is, I'm sure, but that definition in RFC5280 is rather tortured > and leads to ambiguity as to whether or not the leading 0x00 is. In fact, I > would say that it is not part of the integer value but rather an explicit > sign flag required by the encoding mechanism. > > Wouldn't it have been easier just to say that despite what the ASN.1 INTEGER > type says, serial number shall be regarded as an explicitly unsigned integer > of up to 20 bytes length, to be represented as a positive integral value? > > Pragmatically, does anything known break on the extra byte there?
Yes. NSS does. Because NSS properly implements 5280. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy