RE: Long Name Requirements

[Ersin Gülaçtı <ersin.gulacti@kamusm.gov.tr>]

First, I like to clarify some points. What I am trying is to put a legal
person's name (i.e Company Title) in the Subject field of the certificate
(CN=ACME Company ...). The company will be the owner of the certificate.
Since company names are longer than 64 characters in nature, I have to
devise a solution for creating standards compatible certificates. 

I have reviewed the discussions between the PKIX and ITU on upper bounds. I
wish and hope that RFC 5280 bis will follow X.509's lead on handling longer
names. In practice our CA software and verification API had strict
enforcement of the 64 characters based on RFC 3280, 4 years ago. At that
time we encountered some root certificates that had longer CN and OU
components than 64 characters. To make our API compatible with those
certificates we relaxed our upper bounds limit to 128 characters for the
decoding of certificates. Our CA software still creates certificates
according to the 64 characters upper bound limitation. I think it would be
better to modify our CA software and create certificates with no upper bound
limits on name structures. 

-----Original Message-----
From: Kemp, David P. [mailto:DPKemp@missi.ncsc.mil] 
Sent: Monday, February 23, 2009 8:29 PM
To: egulacti@uekae.tubitak.gov.tr; ietf-pkix@imc.org
Subject: RE: Long Name Requirements

Ersin,

While X.509 permits unlimited-length strings in the Subject field, it may be
worth considering usability before making a decision to exercise that
freedom.

>From a practical perspective, applications may handle long names with
varying degrees of grace - some may have hard-coded upper bounds based on
5280 and will refuse to accept longer strings; others may have user
interface layouts based on length assumptions and may truncate or wrap for
display purposes without rejecting the certificate.  If you buy or develop
applications designed to handle long strings, then no problem as long as
every application that touches your certificates can handle them properly.

>From a theoretical perspective, title (regardless of length) probably
doesn't belong in the Subject field.  The Subject name is an identifier that
tells "who" the certificate applies to.  Other information about the user,
such as height, weight, date of birth, fax number, or title/role/position
within the organization can be included in certificates but are not
semantically identifiers.  Contact information can go either way - at the
office a fax number is probably shared but you have a private voice line
that uniquely refers to you, while at home the voice line may be shared with
the wife and kids but the only fax machine is in your home office.  If your
purpose is to issue a "role certificate" to a position without regard to who
occupies the position, then title is an identifier and does belong in the
Subject name.  But in most cases, title is an attribute of the user, not
part of the user's name.  The X.520 title attribute is most appropriately
placed in the Subject Directory Attributes extension, with the same
implementation considerations as above.  

As Eric says, defining a new attribute type is not necessary because it
would be at least as difficult to get applications to support a new type as
it would be to support the new syntax of the existing attribute.
Hopefully RFC 5280 bis will follow X.509's lead, making upper bounds minima
that implementations MUST support, not maxima that implementations MUST NOT
exceed.

I'm sure someone will point out that there is precedent for putting almost
anything you want in the Subject name, including certificate policy
statements and mpeg videos of cats.  But don't be persuaded that everything
that is syntactically valid is necessarily wise.



-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Erik Andersen
Sent: Monday, February 23, 2009 9:57 AM
To: egulacti@uekae.tubitak.gov.tr; ietf-pkix@imc.org
Subject: RE: Long Name Requirements


Hi Ersin,

In the latest edition of X.509, we removed the length restrictions on
attribute types. The PKIX group did not follow suit, but retained the length
restriction. A field of 500 characters will not comply with RFC 5280, but it
will comply with the X.509 itself, and that is what is important.

You can find links to the lasted documents on
http://www.x500standard.com/index.php?n=Extension.Ed6.

You do not need to define own attribute types.

Erik Andersen
Andersen's L-Service
Elsevej 48, DK-3500 Vaerloese
Denmark
Mobile: +45 2097 1490
email: era@x500.eu
www.x500.eu
www.x500standard.com
 

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On
Behalf Of egulacti@uekae.tubitak.gov.tr
Sent: 23. februar 2009 14:42
To: ietf-pkix@imc.org
Subject: Long Name Requirements


Hi,

I have read through the PKIX mailing list archives to find a method for
using name components longer than 64 characters in the Subject field of an
X.509 v3 certificate. Unfortunately I could not find a solution which
satisfies RFC 5280 (3280) by using standard CN, Title, O or OU components.

Now I plan to use a custom attribute-value pair in the Subject field. Is
there any widely used OID for really long names in the Subject field? I need
to put full company titles, up to 500 characters long, in the Subject field.

Regards,

Ersin