RE: Long Name Requirements
"Kemp, David P." <DPKemp@missi.ncsc.mil> Mon, 23 February 2009 18:54 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8029A3A68B2 for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 23 Feb 2009 10:54:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z37O9iHhUIkL for <ietfarch-pkix-archive@core3.amsl.com>; Mon, 23 Feb 2009 10:54:29 -0800 (PST)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 1F2AE3A6827 for <pkix-archive@ietf.org>; Mon, 23 Feb 2009 10:54:28 -0800 (PST)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n1NITqcP006252 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Feb 2009 11:29:53 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n1NITqw8006251; Mon, 23 Feb 2009 11:29:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n1NITgLc006240 for <ietf-pkix@imc.org>; Mon, 23 Feb 2009 11:29:52 -0700 (MST) (envelope-from DPKemp@missi.ncsc.mil)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: Long Name Requirements
Date: Mon, 23 Feb 2009 13:28:43 -0500
Message-ID: <200902231829.n1NITfVP003323@stingray.missi.ncsc.mil>
In-Reply-To: <225D7BAE722B45BD82D788A9D52A58C0@ERA1>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Long Name Requirements
Thread-Index: AcmVxPmSRdg/2yWETEq5nGDMIFyj9AAAMVgQAAKeFDA=
References: <20090223134310.1C3482258026@postaci.uekae.tubitak.gov.tr> <225D7BAE722B45BD82D788A9D52A58C0@ERA1>
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: egulacti@uekae.tubitak.gov.tr, ietf-pkix@imc.org
X-OriginalArrivalTime: 23 Feb 2009 18:25:15.0937 (UTC) FILETIME=[12ECF110:01C995E4]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Ersin, While X.509 permits unlimited-length strings in the Subject field, it may be worth considering usability before making a decision to exercise that freedom. >From a practical perspective, applications may handle long names with varying degrees of grace - some may have hard-coded upper bounds based on 5280 and will refuse to accept longer strings; others may have user interface layouts based on length assumptions and may truncate or wrap for display purposes without rejecting the certificate. If you buy or develop applications designed to handle long strings, then no problem as long as every application that touches your certificates can handle them properly. >From a theoretical perspective, title (regardless of length) probably doesn't belong in the Subject field. The Subject name is an identifier that tells "who" the certificate applies to. Other information about the user, such as height, weight, date of birth, fax number, or title/role/position within the organization can be included in certificates but are not semantically identifiers. Contact information can go either way - at the office a fax number is probably shared but you have a private voice line that uniquely refers to you, while at home the voice line may be shared with the wife and kids but the only fax machine is in your home office. If your purpose is to issue a "role certificate" to a position without regard to who occupies the position, then title is an identifier and does belong in the Subject name. But in most cases, title is an attribute of the user, not part of the user's name. The X.520 title attribute is most appropriately placed in the Subject Directory Attributes extension, with the same implementation considerations as above. As Eric says, defining a new attribute type is not necessary because it would be at least as difficult to get applications to support a new type as it would be to support the new syntax of the existing attribute. Hopefully RFC 5280 bis will follow X.509's lead, making upper bounds minima that implementations MUST support, not maxima that implementations MUST NOT exceed. I'm sure someone will point out that there is precedent for putting almost anything you want in the Subject name, including certificate policy statements and mpeg videos of cats. But don't be persuaded that everything that is syntactically valid is necessarily wise. -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Erik Andersen Sent: Monday, February 23, 2009 9:57 AM To: egulacti@uekae.tubitak.gov.tr; ietf-pkix@imc.org Subject: RE: Long Name Requirements Hi Ersin, In the latest edition of X.509, we removed the length restrictions on attribute types. The PKIX group did not follow suit, but retained the length restriction. A field of 500 characters will not comply with RFC 5280, but it will comply with the X.509 itself, and that is what is important. You can find links to the lasted documents on http://www.x500standard.com/index.php?n=Extension.Ed6. You do not need to define own attribute types. Erik Andersen Andersen's L-Service Elsevej 48, DK-3500 Vaerloese Denmark Mobile: +45 2097 1490 email: era@x500.eu www.x500.eu www.x500standard.com -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of egulacti@uekae.tubitak.gov.tr Sent: 23. februar 2009 14:42 To: ietf-pkix@imc.org Subject: Long Name Requirements Hi, I have read through the PKIX mailing list archives to find a method for using name components longer than 64 characters in the Subject field of an X.509 v3 certificate. Unfortunately I could not find a solution which satisfies RFC 5280 (3280) by using standard CN, Title, O or OU components. Now I plan to use a custom attribute-value pair in the Subject field. Is there any widely used OID for really long names in the Subject field? I need to put full company titles, up to 500 characters long, in the Subject field. Regards, Ersin
- Long Name Requirements egulacti
- RE: Long Name Requirements Erik Andersen
- Re: Long Name Requirements Russ Housley
- RE: Long Name Requirements Paul Hoffman
- RE: Long Name Requirements Erik Andersen
- RE: Long Name Requirements Kemp, David P.
- Re: Long Name Requirements Stefan Santesson
- Re: Long Name Requirements Nelson B Bolyard
- Re: Long Name Requirements Stefan Santesson
- RE: Long Name Requirements Ersin Gülaçtı
- Re: Long Name Requirements Stephen Farrell