Legacy Issue Number: 5766
Source: Syracuse University ( Polar Humenn)
Document: Chapter 24 Corba, CSIv2
There is a misinterpretation in the current JDK implementations as to the
interpretation of the word of "encapsulation" in the CSIv2 specification
in relation to the encoding of the fields within the CSI Identity Token.
The issue is that the JDK and already certified implementations have
performed a CDR encapsulation of the byte arrays within the Identity
Token. This CDR encapsulation is not needed as the the Identity Token is
already a CDR encapsulation, so further CDR encapsulating the byte array
containing the ASN.1 encodings is inefficient.
We can suggest that current implementations do not generate CDR
encapsulation for these fields, yet accept them to be compatible with
Remove the word "encapsulation" before "octet stream" from the rows of the
table 24-2 "Identity Token Types".
Remove the word "encapsulation" in the paragraph in section 24.2.3
"Authorization Token Format".
Remove the word "encapsulated" in the comments in the IDL section for the
definition of the X509CertifcateChain.
Remove the sentence "The two-part SEQUENCE is encapsulated in an octet
stream." in the IDL definition for "const AuthorizationElementType
Add paragraph to section 24.2.5 "Identity Token Formats".
The identity token for ITTPrincipalName, ITTDistinguishedName,
ITTX509CertChain should contain their respective ASN.1 encodings of the
name directly. However, the token may contain a CDR encapsulation of the
octet stream that contains the ASN.1 encoding of the name. The TSS shall
distinguish the difference by the first octet of the field. The values of
0x00 or 0x01 shall indicate that the field contains a CDR encapsulation.
Any other value indicates the field for these identity token types
contains the ASN.1 encoded value. For instance, the ASN.1 encoding for
ITTPrincipalName starts with 0x04, and ITTDistinguishedName and
ITTX509CertChain each start with 0x30. The TSS shall accept both the CDR
encapsulation form and the direct ASN.1 encoding for these identity token
Reported: CORBA 3.0.1 — Tue, 19 Nov 2002 05:00 GMT
Disposition: Resolved — CORBA 3.0.2
Indeed a severe interoperability problem. Fix as suggested.
Updated: Fri, 6 Mar 2015 20:58 GMT