[cabfpub] Certificate encoding

[Peter Bowen]

I ran across an interesting problem yesterday.  

X.509 (10/2012) Section 6.3 (Distinguished encoding of Basic Encoding Rules) says " In order to enable the validation of SIGNED  and SIGNATURE  types in a distributed environment, a distinguished encoding is required. A distinguished encoding of a SIGNED  or SIGNATURE  data value shall be obtained by applying the Basic Encoding Rules defined in Rec. ITU-T X.690 | ISO/IEC 8825-1, with the following restrictions[…]”  This language has been present since X.509 (11/1988).  However RFC 5280 says the the Distinguished Encoding Rules in X.690 (07/2002) must be used.

While "Distinguished encoding of Basic Encoding Rules” and "Distinguished Encoding Rules” sound very similar, they are not the same.  I _think_ that DER is a subset of DeoBER, but I’m not 100% sure.

For the purposes of assessing compliance, which rules should be applied?

Thanks,
Peter