gpgsm --import of CA certificate: Bad signature?

Werner Koch wk at
Wed Apr 18 09:39:06 CEST 2007


whether the optional parameter of the AlgorithmIdentifier is really
optional has changed over time.  My ASN.1 derived from the German Sphinx
profile state:

  AlgorithmIdentifier ::= SEQUENCE {
    algorithm    OBJECT IDENTIFIER,
    parameters   ANY DEFINED BY algorithm OPTIONAL
    -- should be used but set to NULL

rfc3280 (X.509) does not have this remark.  Peter Gutmann's X.509 guide
explains this issue:

  Another pitfall to be aware of is that algorithms which have no
  parameters have this specified as a NULL value rather than omitting
  the parameters field entirely.  The reason for this is that when the
  1988 syntax for AlgorithmIdentifier was translated into the 1997
  syntax, the OPTIONAL associated with the AlgorithmIdentifier
  parameters got lost.  Later it was recovered via a defect report, but
  by then everyone thought that algorithm parameters were mandatory.
  Because of this the algorithm parameters should be specified as NULL,
  regardless of what you read elsewhere.

How did you create this certificate?





More information about the Gnupg-users mailing list