[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Tim Hollebeek tim.hollebeek at digicert.com
Wed Aug 15 09:22:40 MST 2018

Yeah, lots of people are going to make the same mistake I did if Method 6 is represented by bit 5 (not 6!  I like my bit numbers to be zero based, so you can just do the power thing).  Off by one errors are so much fun …


But again, I don’t think it’s a huge problem.  Only technical people are staring at this stuff, and they’ll quickly learn which values correspond to which methods.




From: Ryan Sleevi <sleevi at google.com> 
Sent: Wednesday, August 15, 2018 11:32 AM
To: Tim Hollebeek <tim.hollebeek at digicert.com>
Cc: Doug Beattie <doug.beattie at globalsign.com>; Daymion T. Reynolds <dreynolds at godaddy.com>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies



On Wed, Aug 15, 2018 at 9:24 AM Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > wrote: 

Given that the number of 1 bits is likely low, I don’t think BIT STRING is that hard to read.  It just means that you’re going to have to memorize that Method 6 is “64” instead of 6.  It’s slightly tougher, but if you’re the sort of person who is capable of staring at raw ASN.1, I think you can cope.


I'm not sure I understand your point about knowing that "Method 6 is 64".


Method 6 is Bit 6.

Method 7 is Bit 7.

Method 139 is Bit 139.


A certificate viewer that does not dive into constructed extensions would display the extension as its full hex (e.g. with the outer Tag and Length octets).

A certificate viewer that does dive into constructed extensions would display the inner value, typically in either base2 or base16 notation. In Base2 notation, it's 'easy' to count which bits are set. In Base16 notation, you can easily convert to Base2.

A certificate viewer that explicitly knows about this extension can:

  - Used named values for methods it recognizes - e.g. as a lookup table, same as OIDs)

  - Alternatively, note the integer position itself for which bit was set - e.g. bit 1 = method 1, bit 2 = method 2 etc. - and display that as such


But regardless, you shouldn't expect to see "Method 6 is 64". You'd expect 32, at best, but more realistically, 0x20. :)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180815/7495d251/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180815/7495d251/attachment-0001.p7s>

More information about the Validation mailing list