[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Registering a Certificate Policy OID

To: "Cameron Smith" <casmith@xxxxxxxxxxxx>
Subject: Re: Registering a Certificate Policy OID
From: Russ Housley <housley@xxxxxxxxxx>
Date: Tue, 27 Feb 2001 12:32:25 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>

Cameron:

It is absolutely critical that private OIDs are obtained from legitimate authorities! There are two basic strategies for obtaining legitimate OIDs. The first strategy is to register the objects with an authority. This strategy is very convenient if the PKI uses a small number of relatively stable OIDs to represent certificate policies. The second strategy is to obtain an arc from an authority and assign OIDs as needed. This strategy may be preferred if policies are less stable or many OIDs are needed.

ANSI is the registration authority for the US for organization names under the global registration process established by ISO and ITU. A fact sheet with links to an application form is located at the ANSI web site (http://web.ansi.org/public/services/reg_org.html). The ANSI OID arc for organizations is 2.16.840.1. ANSI charges a fee for OID arc assignments. It takes approximately two weeks to receive the assigned OID arc from ANSI. ANSI will assign a number (NEWNUM), creating a new OID arc: 2.16.840.1.NEWNUM.

In most countries, the national standards association maintains an OID registry. As with the ANSI arc, these are generally arcs assigned under the OID 2.16. It may take some investigation to find the OID authority for a particular country. The addresses for ISO national member bodies may be found at http://www.iso.ch/addresse/membodies.html. The information includes postal address and electronic mail. In many cases, a web site is specified as well.

Another possible starting point is the International Register of ISO DCC NSAP schemes. NSAP stands for Network Service Access Point, and is used in various international standards. The registry for schemes may be obtained at http://www.fei.org.uk/fei/dcc-nsap.htm. The web site currently lists contact information for thirteen naming authorities, some of which will also assign OIDs.

The Internet Assigned Numbers Authority (IANA) assigns private enterprise numbers, which are OIDs, in the arc 1.3.6.1.4.1. IANA has assigned arcs to over 7,500 companies to date. The application page is located at http://www.iana.org/forms.html, under Private Enterprise Numbers. The IANA usually takes about one week. An OID from IANA is free. IANA will assign a number (NEWNUM) so that the new OID arc will be 1.3.6.1.4.1.NEWNUM.

The U.S. Federal Government maintains the Computer Security Objects Registry (CSOR). The CSOR is the naming authority for the arc 2.16.840.1.101.3, and is currently registering objects for security labels, cryptographic algorithms, and certificate policies. The certificate policy OIDs are defined in the arc 2.16.840.1.101.3.2.1. The CSOR provides policy OIDs to agencies of the U.S. Federal Government. For more information about the CSOR, see http://csrc.nist.gov/csor/. For more information on OIDs for certificate policies, see http://csrc.nist.gov/csor/pkireg.htm.

Good luck,
   Russ

At 04:20 PM 2/26/2001 -0800, Cameron Smith wrote:

(Pardon my ignorant question and wide distribution, but I don't know where
else to turn.)
How does one obtain/register a Certificate Policy OID for an organization?

Regards,

Cameron
--
Cameron Smith
PKI Security Analyst
Symantec Corporation

Follow-Ups:
- Re: Registering a Certificate Policy OID
  - From: David Simonetti

References:
- Registering a Certificate Policy OID
  - From: Cameron Smith

Prev by Date: Re: Part1 last call comments
Next by Date: Re: Registering a Certificate Policy OID
Previous by thread: RE: Registering a Certificate Policy OID
Next by thread: Re: Registering a Certificate Policy OID
Index(es):
- Date
- Thread