kc2rxo
commented
8 months ago Added in 55d1d141a8b35f3a7f6bb01c6ceb53f891410bc2
Closed rgmhtt closed 7 months ago
kc2rxo
commented
8 months ago Added in 55d1d141a8b35f3a7f6bb01c6ceb53f891410bc2
10.4. C509 Certificate Encoding
The CBOR Encoded X.509 Certificates (C509 Certificates) [draft-ietf-cose-cbor-encoded-cert] provides a standards-based approach to reduce the size of X.509 certificates both on-the-wire and in storage. The PKI-Lite RAA certificate example in Appendix B.2 is 331 bytes. The matching C509 certificate is 183 bytes. This sort of difference may have significant impact both on UAS storage requirements and over-the-air transmission impact.
C509 provides two approaches for encoding X.509.
An invertible CBOR re-encoding of DER encoded X.509 certificates [RFC5280], which can be reversed to obtain the original DER encoded X.509 certificate.
Natively signed C509 certificates, where the signature is calculated over the CBOR encoding instead of over the DER encoding as in 1. This removes the need for ASN.1 and DER parsing and the associated complexity but they are not backwards compatible with implementations requiring DER encoded X.509.
The invertible CBOR encoding may be sufficient for most needs. The CBOR objects clearly indicate which approach was used, so that the receiver can properly process the C509 object. For interoperability in DRIP, it is recommended that invertible CBOR encoding be used.
Using the invertible CBOR encoding is achieved through in-line libraries that convert in the desired direction. Since it is not expected that DNS protocols to implement this convertion, the DET RR SHOULD contain the normal X.509 DER encoding. The CBOR encoding MAY be used, but operational experience will be needed to see if there are measurable gains in doing so.