Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos
I think we may have a different opinion of what could be maintenance.
Feel free to explain.
Anyway, You can do exactly what AUTOMATIC does with concrete tags.
The message was not necessarily to promote AUTOMATIC, but a question
why there is a different tagging regime involved which is not totally
because OCTET STRINGS are IMPLICIT tagged when the contain other
Russ Housley wrote:
> I find AUTOMATIC TAGS to be more difficult later down the line when
> one is doing maintenance. In my opinion, it hides too much.
> At 09:10 AM 11/3/2005, Olivier Dubuisson wrote:
>> Tom Gindin wrote:
>>> If it isn't too late to fix this without breaking lots of
>>> implementations, the ASN.1 in this specification is over-tagged. In
>>> section 3.2.1, all three of the tags in PA-PK-AS-REQ are
>>> unnecessary, and the one on signedAuthPack is actually slightly
>>> harmful. None of the tags in PKAuthenticator do any good either. The
>>> OCTET STRING wrappings for subjectName and issuerAndSerialNumber are
>>> not really appropriate, and subjectName doesn't need a tag. Even in
>>> AuthPack, pkAuthenticator and clientDHNonce don't need tags.
>>> Similarly, in 3.2.3, there is no reason for any of the tags in
>>> PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo. The tags in ReplyKeyPack
>>> in 18.104.22.168 also seem unnecessary.
>> The easiest thing would be to put "AUTOMATIC TAGS" in the module
>> header (instead of "EXPLICIT TAGS") and not bother with tags, for
>> "AUTOMATIC TAGS" would tag where necessary. But I understand from
>> another response that the Kerberos team doesn't want to deviate from
>> their historical choice...
>> Olivier DUBUISSON
>> France Telecom
>> Recherche & Developpement
>> R&D/MAPS/AMS - 22307 Lannion Cedex - France
>> t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/ >>
To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.