Format and standard for CSR

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Aug 28 22:09:11 UTC 2019 

Do you have an ASN.1 definition fit the content of CSR, or are you willing to create one?

IMHO, DER would be a pretty good choice, fat better than something home-brewed and non-standard.

Regards,
Uri

Sent from my iPhone

> On Aug 28, 2019, at 17:49, Robert Moskowitz <rgm at htt-consult.com> wrote:
> 
> CSR is an object in a container that goes over a 'wire'.   Sometimes the wire is very small (BT4) so the container needs to be tightly designed.
> 
> It should be a standard, not something totally off the wall.  Well I could do it in CBOR, and probably will at some point, but for now something more common in PKIX world should work.
> 
> Mangle it, stuff it down the wire, de-mangle it and use it.  For now I am referencing RFC 2986.
> 
> What do you suggest.  Please reference documents that can be referenced in the document.
> 
> Thanks
> 
> 
>> On 8/28/19 5:23 PM, Michael Sierchio wrote:
>> 
>> I don't see the point in DER encoding for a CSR – The RA and CA decide the composition of the cert, based on the rules and CPA that they follow, and of course any cert issued will be in DER format, and may include reordering or modified/expanded extensions and key use restrictions.  A CSR is basically an assertion that includes pubkey, proof of possession of the private key, and any request elements required by policy.  It's a one-time document that needs to be validated precisely once.
>> 
>> 
>>> On Wed, Aug 28, 2019 at 6:49 AM Robert Moskowitz <rgm at htt-consult.com> wrote:
>>> I am writing an Internet Draft that will include transmission of a CSR, 
>>> so I need to reference the proper source.  No more sloppy, "well it 
>>> works...".
>>> 
>>> Some digging said it is in PKCS#10 - CSR.  But I did not stop with that.
>>> 
>>> A bit more googling lead me to RFC 4211...
>>> 
>>> When I create a CSR with:
>>> 
>>>     openssl req -config openssl-intermediate.cnf\
>>>         -key ./private/client.key.pem \
>>>         -subj "$DN" -new -out ./csr/client.csr.pem
>>> 
>>> What format is this?  Are there better, more concise formats (e.g. DER?) 
>>> for transmission over constrained networks?
>>> 
>>> I can dump it with
>>> 
>>>     openssl req -text -noout -verify -in ./csr/client.csr.pem
>>> 
>>> But that does not really tell me the format, only what is in the cert.
>>> 
>>> Thanks
>>> 
>> 
>> 
>> -- 
>> 
>> "Well," Brahmā said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred."
>> 
>> - The Mahābhārata
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190828/bd7f9dbb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5821 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190828/bd7f9dbb/attachment.bin>

More information about the openssl-users mailing list