<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
CSR is an object in a container that goes over a 'wire'. Sometimes
the wire is very small (BT4) so the container needs to be tightly
designed.<br>
<br>
It should be a standard, not something totally off the wall. Well I
could do it in CBOR, and probably will at some point, but for now
something more common in PKIX world should work.<br>
<br>
Mangle it, stuff it down the wire, de-mangle it and use it. For now
I am referencing RFC 2986.<br>
<br>
What do you suggest. Please reference documents that can be
referenced in the document.<br>
<br>
Thanks<br>
<br>
<br>
<div class="moz-cite-prefix">On 8/28/19 5:23 PM, Michael Sierchio
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAHu1Y72oWURbi-6PhfVdfvKT_V7ZRAXhq_WtZvmnQoehs4XYzA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div><br>
</div>
<div>I don't see the point in DER encoding for a CSR – The RA
and CA decide the composition of the cert, based on the rules
and CPA that they follow, and of course any cert issued will
be in DER format, and may include reordering or
modified/expanded extensions and key use restrictions. A CSR
is basically an assertion that includes pubkey, proof of
possession of the private key, and any request elements
required by policy. It's a one-time document that needs to be
validated precisely once.</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Aug 28, 2019 at 6:49
AM Robert Moskowitz <<a href="mailto:rgm@htt-consult.com"
moz-do-not-send="true">rgm@htt-consult.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I
am writing an Internet Draft that will include transmission of
a CSR, <br>
so I need to reference the proper source. No more sloppy,
"well it <br>
works...".<br>
<br>
Some digging said it is in PKCS#10 - CSR. But I did not stop
with that.<br>
<br>
A bit more googling lead me to RFC 4211...<br>
<br>
When I create a CSR with:<br>
<br>
openssl req -config openssl-intermediate.cnf\<br>
-key ./private/client.key.pem \<br>
-subj "$DN" -new -out ./csr/client.csr.pem<br>
<br>
What format is this? Are there better, more concise formats
(e.g. DER?) <br>
for transmission over constrained networks?<br>
<br>
I can dump it with<br>
<br>
openssl req -text -noout -verify -in ./csr/client.csr.pem<br>
<br>
But that does not really tell me the format, only what is in
the cert.<br>
<br>
Thanks<br>
<br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica, sans-serif"
color="#666666"><br>
"Well," Brahmā said, "even after ten thousand
explanations, a fool is no wiser, but an intelligent
person requires only two thousand five hundred."</font>
<div><font face="arial, helvetica, sans-serif"
color="#666666"><br>
- The Mahābhārata</font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>