Do you have an ASN.1 definition fit the content of CSR, or are you willing to create one?
IMHO, DER would be a pretty good choice, fat better than something home-brewed and non-standard. Regards, Uri Sent from my iPhone > On Aug 28, 2019, at 17:49, Robert Moskowitz <r...@htt-consult.com> wrote: > > CSR is an object in a container that goes over a 'wire'. Sometimes the wire > is very small (BT4) so the container needs to be tightly designed. > > It should be a standard, not something totally off the wall. Well I could do > it in CBOR, and probably will at some point, but for now something more > common in PKIX world should work. > > Mangle it, stuff it down the wire, de-mangle it and use it. For now I am > referencing RFC 2986. > > What do you suggest. Please reference documents that can be referenced in > the document. > > Thanks > > >> On 8/28/19 5:23 PM, Michael Sierchio wrote: >> >> I don't see the point in DER encoding for a CSR – The RA and CA decide the >> composition of the cert, based on the rules and CPA that they follow, and of >> course any cert issued will be in DER format, and may include reordering or >> modified/expanded extensions and key use restrictions. A CSR is basically >> an assertion that includes pubkey, proof of possession of the private key, >> and any request elements required by policy. It's a one-time document that >> needs to be validated precisely once. >> >> >>> On Wed, Aug 28, 2019 at 6:49 AM Robert Moskowitz <r...@htt-consult.com> >>> wrote: >>> I am writing an Internet Draft that will include transmission of a CSR, >>> so I need to reference the proper source. No more sloppy, "well it >>> works...". >>> >>> Some digging said it is in PKCS#10 - CSR. But I did not stop with that. >>> >>> A bit more googling lead me to RFC 4211... >>> >>> When I create a CSR with: >>> >>> openssl req -config openssl-intermediate.cnf\ >>> -key ./private/client.key.pem \ >>> -subj "$DN" -new -out ./csr/client.csr.pem >>> >>> What format is this? Are there better, more concise formats (e.g. DER?) >>> for transmission over constrained networks? >>> >>> I can dump it with >>> >>> openssl req -text -noout -verify -in ./csr/client.csr.pem >>> >>> But that does not really tell me the format, only what is in the cert. >>> >>> Thanks >>> >> >> >> -- >> >> "Well," Brahmā said, "even after ten thousand explanations, a fool is no >> wiser, but an intelligent person requires only two thousand five hundred." >> >> - The Mahābhārata >
smime.p7s
Description: S/MIME cryptographic signature
