----- Original Message ----- From: "Sam Hartman" <hartmans-ietf@xxxxxxx> To: "t.p." <daedulus@xxxxxxxxxxxxx> Cc: "Sam Hartman" <hartmans-ietf@xxxxxxx>; <ietf@xxxxxxxx>; <secdir@xxxxxxxx>; <iesg@xxxxxxxx>; <draft-ietf-netconf-rfc5539bis.all@xxxxxxxxxxxxxx> Sent: Tuesday, March 10, 2015 12:48 PM > >>>>> "t" == t p <daedulus@xxxxxxxxxxxxx> writes: > > Well, I think you still need to answer questions like > > * Is it a fingerprint of the cert or the key? > > * Is the server expected to re-normalize the DER? Allowed to > re-normalize the DER? Sam Thank you for your comments. The I-D specifies fingerprint of the certificate so that is specified. Normalisation is not specified and is an interesting point; as you say, something to be considered. Tom Petch > So that the input to the hash is well specified. > Several protocols within the IETF have taken on the challenge of > describing how to fingerprint certificates. I think the document would > be improved by picking one of these strategies. >