Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)
Stefan Santesson <stefan@aaa-sec.com> Fri, 20 February 2015 01:33 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0FEB1A1ADB for <pkix@ietfa.amsl.com>; Thu, 19 Feb 2015 17:33:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DIr8ViFrTiV7 for <pkix@ietfa.amsl.com>; Thu, 19 Feb 2015 17:33:17 -0800 (PST)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [194.9.95.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E95931A1AC2 for <pkix@ietf.org>; Thu, 19 Feb 2015 17:33:16 -0800 (PST)
Received: from s314.loopia.se (localhost [127.0.0.1]) by s314.loopia.se (Postfix) with ESMTP id 971E216181B3 for <pkix@ietf.org>; Fri, 20 Feb 2015 02:33:13 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-Originating-IP: 90.228.164.127
X-Loopia-User: stefan@fiddler.nu
Received: from s500.loopia.se (unknown [172.21.200.98]) by s314.loopia.se (Postfix) with ESMTP id 799DE1FFE33F; Fri, 20 Feb 2015 02:33:13 +0100 (CET)
Received: from s406.loopia.se (unknown [172.21.200.105]) by s500.loopia.se (Postfix) with ESMTP id 6F5E996FAEE; Fri, 20 Feb 2015 02:33:13 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s499.loopia.se ([172.21.200.105]) by s406.loopia.se (s406.loopia.se [172.21.200.136]) (amavisd-new, port 10024) with LMTP id a0nhJfrLqgYj; Fri, 20 Feb 2015 02:33:12 +0100 (CET)
Received: from [10.0.1.53] (unknown [90.228.164.127]) (Authenticated sender: stefan@fiddler.nu) by s499.loopia.se (Postfix) with ESMTPSA id 32368B1F7FE; Fri, 20 Feb 2015 02:33:10 +0100 (CET)
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Fri, 20 Feb 2015 02:33:08 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>, david.cooper@nist.gov, stefans@microsoft.com, stephen.farrell@cs.tcd.ie, sharon.boeyen@entrust.com, housley@vigilsec.com, wpolk@nist.gov, Kathleen.Moriarty.ietf@gmail.com, kent@bbn.com
Message-Id: <D10C4A99.A78CB%stefan@aaa-sec.com>
Thread-Topic: [Editorial Errata Reported] RFC5280 (4274)
References: <20150219104338.831BA181D1F@rfc-editor.org>
In-Reply-To: <20150219104338.831BA181D1F@rfc-editor.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/nTzUNYIHyHFOWTEVnUxq2cpbHhQ>
X-Mailman-Approved-At: Thu, 19 Feb 2015 17:59:43 -0800
Cc: pkix@ietf.org, i.matveychikov@securitycode.ru
Subject: Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Feb 2015 01:33:20 -0000
These size limitations are gone in the
current edition of X.520
In X.520 2001 edition, surname as example was defined as:
surname ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX DirectoryString{ub-surname}
ID id-at-surname
}
Where Directory string is size limited by the upper bound ub-surname
ub-surname
INTEGER ::= 64
In the current edition of X.520 (102012) the definition is instead:
surname ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX UnboundedDirectoryString
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"sn"}
ID id-at-surname
}
Where UnboundedDirectoryString no longer is bounded to the old ub-surname
size limit.
The same is true for all attributes listed in this errata.
/Stefan
On 19/02/15 11:43, "RFC Errata System" <rfc-editor@rfc-editor.org> wrote:
>The following errata report has been submitted for RFC5280,
>"Internet X.509 Public Key Infrastructure Certificate and Certificate
>Revocation List (CRL) Profile".
>
>--------------------------------------
>You may review the report below and at:
>http://www.rfc-editor.org/errata_search.php?rfc=5280&eid=4274
>
>--------------------------------------
>Type: Editorial
>Reported by: Ilya V. Matveychikov <i.matveychikov@securitycode.ru>
>
>Section: A.1
>
>Original Text
>-------------
>-- Naming attributes of type X520CommonName:
>-- X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
>
>...
>
>-- Naming attributes of type X520LocalityName:
>-- X520LocalityName ::= DirectoryName (SIZE (1..ub-locality-name))
>
>...
>
>-- Naming attributes of type X520StateOrProvinceName:
>-- X520StateOrProvinceName ::= DirectoryName (SIZE (1..ub-state-name))
>
>...
>
>-- Naming attributes of type X520OrganizationName:
>-- X520OrganizationName ::=
>-- DirectoryName (SIZE (1..ub-organization-name))
>
>...
>
>-- Naming attributes of type X520OrganizationalUnitName:
>-- X520OrganizationalUnitName ::=
>-- DirectoryName (SIZE (1..ub-organizational-unit-name))
>
>...
>
>-- Naming attributes of type X520Title:
>-- X520Title ::= DirectoryName (SIZE (1..ub-title))
>
>...
>
>-- Naming attributes of type X520Pseudonym:
>-- X520Pseudonym ::= DirectoryName (SIZE (1..ub-pseudonym))
>
>
>Corrected Text
>--------------
>-- Naming attributes of type X520CommonName:
>-- X520CommonName ::= DirectoryString (SIZE (1..ub-common-name))
>
>...
>
>-- Naming attributes of type X520LocalityName:
>-- X520LocalityName ::= DirectoryString (SIZE (1..ub-locality-name))
>
>...
>
>-- Naming attributes of type X520StateOrProvinceName:
>-- X520StateOrProvinceName ::=
>-- DirectoryString (SIZE (1..ub-state-name))
>
>...
>
>-- Naming attributes of type X520OrganizationName:
>-- X520OrganizationName ::=
>-- DirectoryString (SIZE (1..ub-organization-name))
>
>...
>
>-- Naming attributes of type X520OrganizationalUnitName:
>-- X520OrganizationalUnitName ::=
>-- DirectoryString (SIZE (1..ub-organizational-unit-name))
>
>...
>
>-- Naming attributes of type X520Title:
>-- X520Title ::= DirectoryString (SIZE (1..ub-title))
>
>...
>
>-- Naming attributes of type X520Pseudonym:
>-- X520Pseudonym ::= DirectoryString (SIZE (1..ub-pseudonym))
>
>
>Notes
>-----
>Appendix B. ASN.1 Notes says that:
>
> For many of the attribute types defined in [X.520], the
> AttributeValue uses the DirectoryString type. Of the attributes
> specified in Appendix A, the name, surname, givenName, initials,
> generationQualifier, commonName, localityName, stateOrProvinceName,
> organizationName, organizationalUnitName, title, and pseudonym
> attributes all use the DirectoryString type. X.520 uses a
> parameterized type definition [X.683] of DirectoryString to specify
> the syntax for each of these attributes. The parameter is used to
> indicate the maximum string length allowed for the attribute. In
> Appendix A, in order to avoid the use of parameterized type
> definitions, the DirectoryString type is written in its expanded form
> for the definition of each of these attribute types. So, the ASN.1
> in Appendix A describes the syntax for each of these attributes as
> being a CHOICE of TeletexString, PrintableString, UniversalString,
> UTF8String, and BMPString, with the appropriate constraints on the
> string length applied to each of the types in the CHOICE, rather than
> using the ASN.1 type DirectoryString to describe the syntax.
>
>There is nothing about DirectoryName type here. So comments in ASN.1 in
>A.1 are wrong and DirectoryName should be fixed to DirectoryString.
>
>Instructions:
>-------------
>This erratum is currently posted as "Reported". If necessary, please
>use "Reply All" to discuss whether it should be verified or
>rejected. When a decision is reached, the verifying party (IESG)
>can log in to change the status and edit the report, if necessary.
>
>--------------------------------------
>RFC5280 (draft-ietf-pkix-rfc3280bis-11)
>--------------------------------------
>Title : Internet X.509 Public Key Infrastructure
>Certificate and Certificate Revocation List (CRL) Profile
>Publication Date : May 2008
>Author(s) : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R.
>Housley, W. Polk
>Category : PROPOSED STANDARD
>Source : Public-Key Infrastructure (X.509)
>Area : Security
>Stream : IETF
>Verifying Party : IESG
>
- [pkix] [Errata Held for Document Update] RFC5280 … RFC Errata System
- [pkix] [Editorial Errata Reported] RFC5280 (4274) RFC Errata System
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stefan Santesson
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Martin Rex
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stefan Santesson
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Erik Andersen
- [pkix] FW: [Editorial Errata Reported] RFC5280 (4… Sharon Boeyen
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stephen Kent
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Jeremy Rowley
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Jeremy Rowley