Re: [pkix] Amendment to CABF Baseline Requirements

[Ben Wilson <ben.wilson@digicert.com>]

Thanks, Michael.    Is it relevant that Annex C to X.520 (2012) states,
"(This annex does not form an integral part of this Recommendation |
International Standard.)" whereas before (1988) it stated,  "This Annex is
part of the Recommendation."?

From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Michael StJohns
Sent: Thursday, April 6, 2017 10:55 AM
To: pkix@ietf.org
Subject: Re: [pkix] Amendment to CABF Baseline Requirements

Hi Ben - 

IETF 5280 et al are profiles of the X.509 documents.  The upper length
bounds for orgnaizationName and commonName fields in 5280 is no different
than the upper bounds specified in X.509 (at least as of the 2014
document).  I would suggest that you will pretty much break any and all
implementations of X.509 clients that rely or enforce this limit as well as
any code that generates certificate requests.

I will note that overloading text fields with structured data is generally
not a good idea - as you've found.  

Mike



On 4/6/2017 12:24 PM, Ben Wilson wrote:
Does anyone want to comment on my draft amendment to the CA/Browser Forum’s
Baseline Requirements for SSL/TLS Certificates which would remove the
64-character limit on the commonName and organizationName,  as an exception
to RFC 5280?  The text of the relevant Baseline Requirement provision is
found below with the proposed additional language in ALL CAPS.  The reason
for the first change (commonName) is there are FQDNs (in Subject Alternative
Names) that are longer than 64 characters.  The reason for the second change
(organizationName) is that there are organizations with names longer than 64
characters.
 
7.1.4.2.2.             Subject Distinguished Name Fields
a.            Certificate Field: subject:commonName (OID 2.5.4.3)  
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single IP address or
Fully-Qualified Domain Name that is one of the values contained in the
Certificate’s subjectAltName extension (see Section 7.1.4.2.1).
MAXIMUM LENGTH:  NO STIPULATION.  (THIS IS AN EXCEPTION TO RFC 5280 WHICH
SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
b.            Certificate Field: subject:organizationName (OID 2.5.4.10)
Optional.  
Contents: If present, the subject:organizationName field MUST contain either
the Subject’s name or DBA as verified under Section 3.2.2.2. The CA may
include information in this field that differs slightly from the verified
name, such as common variations or abbreviations, provided that the CA
documents the difference and any abbreviations used are locally accepted
abbreviations; e.g., if the official record shows “Company Name
Incorporated”, the CA MAY use “Company Name Inc.” or “Company Name”. 
Because Subject name attributes for individuals (e.g. givenName (2.5.4.42)
and surname (2.5.4.4)) are not broadly supported by application software,
the CA MAY use the subject:organizationName field to convey a natural person
Subject’s name or DBA.
MAXIMUM LENGTH:  256 CHARACTERS (THIS IS AN EXCEPTION TO RFC 5280 WHICH
SPECIFIES AN UPPER BOUND OF 64 CHARACTERS.)
 
Thanks,
Ben Wilson



_______________________________________________
pkix mailing list
mailto:pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix