[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Ryan Sleevi sleevi at google.com
Wed Aug 15 08:32:25 MST 2018

On Wed, Aug 15, 2018 at 9:24 AM Tim Hollebeek <tim.hollebeek at digicert.com>

> Given that the number of 1 bits is likely low, I don’t think BIT STRING is
> that hard to read.  It just means that you’re going to have to memorize
> that Method 6 is “64” instead of 6.  It’s slightly tougher, but if you’re
> the sort of person who is capable of staring at raw ASN.1, I think you can
> cope.

I'm not sure I understand your point about knowing that "Method 6 is 64".

Method 6 is Bit 6.
Method 7 is Bit 7.
Method 139 is Bit 139.

A certificate viewer that does not dive into constructed extensions would
display the extension as its full hex (e.g. with the outer Tag and Length
A certificate viewer that does dive into constructed extensions would
display the inner value, typically in either base2 or base16 notation. In
Base2 notation, it's 'easy' to count which bits are set. In Base16
notation, you can easily convert to Base2.
A certificate viewer that explicitly knows about this extension can:
  - Used named values for methods it recognizes - e.g. as a lookup table,
same as OIDs)
  - Alternatively, note the integer position itself for which bit was set -
e.g. bit 1 = method 1, bit 2 = method 2 etc. - and display that as such

But regardless, you shouldn't expect to see "Method 6 is 64". You'd expect
32, at best, but more realistically, 0x20. :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180815/64a88458/attachment.html>

More information about the Validation mailing list