Re: draft-ietf-pkix-rfc3770bis-01: OID Import

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

Peter Sylvester wrote:

> We are not etalking about pains created by difficulties of correct
> organisation of ASN.1 modules or using current and non-obsolete syntax
> versions.
>  

This gets to the real problem.  If the entire pkix OID registry
(http://www.imc.org/ietf-pkix/pkix-oid.asn) were maintained
as an ASN.1 module and always IMPORTed, this would
eliminate problems caused by importing modules containing both
structures and OIDs when only the OIDs are needed.

Given that there is not yet a "pkix-useful-definitions" module, Russ'
strategy of local definitions is a reasonable workaround:

1) an OID, once assigned, can never change so there is no danger
of an initially-correct copy getting out of sync with the original.
(An OID can be deprecated, but its meaning cannot be modified.)

2) the name assigned to an OID has only local scope, and
many names can be assigned to the same OID without causing
problems (other than confusing readers).   One module can
locally define "id-bogus-aca"  and use that name within the module
and still interoperate successfully with a different module
that IMPORTs "id-aca" from PKIXAttributeCertificate.

Recommendation: create a module containing only PKIX
constant definitions (OIDs, bounds, etc).  Start importing
it into other modules as they are revised for other reasons.