If we were using PKCS#7 for certs, then why not PKCS#7 the payload as well?
(No - I am not proposing to do it. Doing so with AES-128,192,256 is prohibitive in some language such as PHP, but just as a point of discussion to close this.) On Tue, Jun 22, 2010 at 6:33 PM, Ben Laurie <b...@google.com> wrote: > On 22 June 2010 02:40, Manger, James H <james.h.man...@team.telstra.com> > wrote: >> Nat and Ben, >> >> >> >>>>> In addition to Ben's questions, I have another. For X.509, you seem to >> >>>>> be using DER. How do you express the entire certificate chain using >> >>>>> DER? >> >>>>> (With PEM, you can just concatenate ... ) >> >>>> >> >>>> With DER you can concatenate, too, of course. There's also PKCS#n (for >> >>>> some value of n which I forget ... 12?) which allows bundling of cert >> >>>> chains. >> >>> >> >>> That's PKCS#12, I suppose. I had under an impression that PKCS#12 includes >>> the >> >>> private key, though. >> >> >> >> >> >> A *.p7c file can be used to hold any number of certificates. It is a >> BER-encoded PKCS#7 value, now known as Cryptographic Message Syntax (CMS) >> standard [RFC 5652]. It is the ASN.1 syntax used for S/MIME signed email. If >> you only want to send certificates, just leaving out the >> content-to-be-signed, and the signatures. > > Ah, thanks, I thought there was something less kludgey than PKCS#12. > >> >> >> >> Such a file can hold any number of certificates, including public-key >> certificates, attribute certificates, or other certificate formats. >> >> It can also hold CRLs and other revocation information (including OCSP >> responses as per draft-turner-additional-cms-ri-choices). >> >> >> >> CMS/PKCS#7 is better for this purpose than PKCS#12. >> >> >> >> -- >> >> James Manger >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
