Nat and Ben,
>>> In addition to Ben's questions, I have another. For X.509, you seem to >>> be using DER. How do you express the entire certificate chain using >>> DER? >>> (With PEM, you can just concatenate ... ) >> >> With DER you can concatenate, too, of course. There's also PKCS#n (for >> some value of n which I forget ... 12?) which allows bundling of cert >> chains. > > That's PKCS#12, I suppose. I had under an impression that PKCS#12 includes the > private key, though. A *.p7c file can be used to hold any number of certificates. It is a BER-encoded PKCS#7 value, now known as Cryptographic Message Syntax (CMS) standard [RFC 5652<http://tools.ietf.org/html/rfc5652#section-5.1>]. It is the ASN.1 syntax used for S/MIME signed email. If you only want to send certificates, just leaving out the content-to-be-signed, and the signatures. Such a file can hold any number of certificates, including public-key certificates, attribute certificates, or other certificate formats. It can also hold CRLs and other revocation information (including OCSP responses as per draft-turner-additional-cms-ri-choices<http://tools.ietf.org/html/draft-turner-additional-cms-ri-choices>). CMS/PKCS#7 is better for this purpose than PKCS#12. -- James Manger
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth