Format and standard for CSR
rgm at htt-consult.com
Wed Aug 28 23:13:15 UTC 2019
On 8/28/19 6:09 PM, Blumenthal, Uri - 0553 - MITLL wrote:
> Do you have an ASN.1 definition fit the content of CSR, or are you
> willing to create one?
For now working with ASN.1.
> IMHO, DER would be a pretty good choice, fat better than something
> home-brewed and non-standard.
take a look at rfc 7049. This is the standard for data objects over
constrained networks. Then look at
For work being done to define by a good team to meld x.509 stuff with CBOR.
"The wonderful thing about standards is there are so many to choose from."
There was a reference point to Grace Hopper saying this in '58.
> Sent from my iPhone
> On Aug 28, 2019, at 17:49, Robert Moskowitz <rgm at htt-consult.com
> <mailto:rgm at htt-consult.com>> wrote:
>> CSR is an object in a container that goes over a 'wire'. Sometimes
>> the wire is very small (BT4) so the container needs to be tightly
>> It should be a standard, not something totally off the wall. Well I
>> could do it in CBOR, and probably will at some point, but for now
>> something more common in PKIX world should work.
>> Mangle it, stuff it down the wire, de-mangle it and use it. For now I
>> am referencing RFC 2986.
>> What do you suggest. Please reference documents that can be
>> referenced in the document.
>> On 8/28/19 5:23 PM, Michael Sierchio wrote:
>>> I don't see the point in DER encoding for a CSR – The RA and CA
>>> decide the composition of the cert, based on the rules and CPA that
>>> they follow, and of course any cert issued will be in DER format,
>>> and may include reordering or modified/expanded extensions and key
>>> use restrictions. A CSR is basically an assertion that includes
>>> pubkey, proof of possession of the private key, and any request
>>> elements required by policy. It's a one-time document that needs to
>>> be validated precisely once.
>>> On Wed, Aug 28, 2019 at 6:49 AM Robert Moskowitz
>>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
>>> I am writing an Internet Draft that will include transmission of
>>> a CSR,
>>> so I need to reference the proper source. No more sloppy, "well it
>>> Some digging said it is in PKCS#10 - CSR. But I did not stop
>>> with that.
>>> A bit more googling lead me to RFC 4211...
>>> When I create a CSR with:
>>> openssl req -config openssl-intermediate.cnf\
>>> -key ./private/client.key.pem \
>>> -subj "$DN" -new -out ./csr/client.csr.pem
>>> What format is this? Are there better, more concise formats
>>> (e.g. DER?)
>>> for transmission over constrained networks?
>>> I can dump it with
>>> openssl req -text -noout -verify -in ./csr/client.csr.pem
>>> But that does not really tell me the format, only what is in the
>>> "Well," Brahmā said, "even after ten thousand explanations, a fool
>>> is no wiser, but an intelligent person requires only two thousand
>>> five hundred."
>>> - The Mahābhārata
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users