[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Ryan Sleevi sleevi at google.com
Tue Aug 14 07:37:02 MST 2018

On Tue, Aug 14, 2018 at 7:29 AM Doug Beattie via Validation <
validation at cabforum.org> wrote:

> Hi Wayne,
> I have a couple of comments/suggestions:
> Did we agree to change the effective date to a bit later than April?
> On the numbering scheme, certainly 500 is high enough that we won’t see a
> collision any time soon, but it might be easier to mentally map the IP
> address numbers if they started at 1000 (just a minor suggestion).   Also
> we’ll need to be sure we update IP address validation section before this
> ballot goes into effect – do we need to point out this dependency?
> You used the construct Sequence vs. Set, so there is an implied meaning to
> the order of the integers, but I think they are randomly “sequenced”.
> Maybe Set is better in this case unless we want them ordered for some
> reason?  It’s not a big deal because RFC 5280 uses sequence for things like
> EKU where the order isn’t important also.

We've seen CAs botch the SET ordering for DER badly in the past (example:
equivalent subject AttributeValues), so it also seems less risk to order by
SEQUENCE, which gives it nice predictability. I've certainly seen encoding
libraries have troubles with SET OF vs SEQUENCE OF. I agree that
semantically, we're not approaching special value to the ordering.

Neither Set nor Sequence precludes duplicate values, so the statement
> “..assert every distinct method” isn’t enforced via the ASN structure.  I
> don’t think there is an easy way (nor necessarily a strong requirement) to
> enforce this at the encoding level – just pointing it out in case someone
> has an idea or opinion about that.  However, this random article says that
> “the entries of a set usually are assumed to be unique, no two identical
> entries in a set, while a sequence may contain many identical entries”,
> which further suggests we should use set for our purposes.
> https://stackoverflow.com/questions/31442003/asn1-sequence-vs-set

I'm not really sure that supports the point you're making though. That's
just talking about assumptions people make that aren't supported by the
text (e.g. X.680 E.2.10 for SEQUENCE/SEQUENCE OF, E.2.11 for SET/SET OF)

If the goal here is to guarantee that one-and-only-one instance appears,
and to minimize the size, the alternative encoding is using a BITSTRING
(c.f. X.680 E.2.5.3  Use a bit string type to model the values of a bit
map, an ordered collection of logical variables indicating whether a
particular condition holds for each of a correspondingly ordered collection
of objects.). Note that if using a named bitlist, you have to make sure
you're observing the DER rule (of no additional trailing zeroes), which is
another thing some CA impls have botched, but seems... slightly better?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180814/aac16e68/attachment.html>

More information about the Validation mailing list