Distinguished Encoding Rules
The Distinguished Encoding Rules (DER) are a subset of BER; they eliminate some of the flexibility provided by BER, however, they also guarantee that there is one and only one way to encode a message. That is, if we were to encode, decode, re-encode, re-decode, and re-re-encode, all three encodings must be the same. DER is commonly used in security-related applications such as X.509 digital certificates.
DER uses the definite length form encoding.
Age ::= INTEGER (0..7)
firstGrade Age ::= 6
The restrictions imposed by DER on BER are listed below:
- The length field must be encoded in the minimum number of octets.
- For BOOLEAN types, in DER, FALSE is always encoded as 00 and TRUE is always encoded as FF.
- For BIT STRING types:
- Unused bits in last octet are set to 0.
- Trailing 0s are not encoded for a named bit list.
- If no bits are on, set length to 1 and use one octet of 00.
- For BIT STRING and OCTET STRING types, DER does not allow the constructed form (breaking a string into multiple TLVs) or the indefinite length form.
- For REAL types, base 10 uses the NR3 form:
- No spaces.
- No plus sign in mantissa or exponent.
- The period is used as decimal separator.
- Mantissa must not begin nor end with 0s.
- Mantissa is followed by ".E".
- Exponent cannot begin with 0.
- REAL base 2:
- Mantissa is 0 or an odd number.
- Mantissa and exponent must be encoded in the minimum number of octets.
- Scale factor F = 0.
- For time types:
- There are no meaningless trailing zeroes.
- No decimal point is allowed if there is no fractional part in UTCTime.
- Always use Z form.
- Always use decimal point in GeneralizedTime.
- SEQUENCE or SET
- Never encode a default value.
- For SET types:
- Elements are sorted into tag order.
- For SET OF types:
- Elements are sorted into ascending order of encoding.