[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Registering a Certificate Policy OID

To: David Simonetti <dsimonetti@xxxxxxxxxxxx>
Subject: Re: Registering a Certificate Policy OID
From: "Phillip H. Griffin" <phil.griffin@xxxxxxxxx>
Date: Wed, 28 Feb 2001 18:26:40 -0500
Cc: Cameron Smith <casmith@xxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Organization: Griffin Consulting
References: <> <>
Reply-to: phil.griffin@xxxxxxxxx

A couple of small points though. 

Semantics seem to matter to humans. I've helped 
set up OID registries for folks who felt that 
where they got their OID arc from had marketing
implications, even though the encoded OID value
is just an opaque string that has no semantics 
at all. 

So XYZ Consortium may wish to purchase an ISO
OID under "iso(1) identified-organization(3)"
or "joint-iso-itu-t(2) internationalRA(23)",
rather than use a free IANA OID, simply 
because they feel that this makes them a
recognized international organization.

Other folks may have OID size requirements that 
preclude using a free IANA OID for some purposes,
due to the length of these values when they are 
encoded. Instead an OID that encodes in less 
octets might be purchased so that object 
identifiers require less space or bandwidth 
in messages.

Phil


David Simonetti wrote:
> 
> Excellent summary, Russ!  I have found IANA to be the most convenient.
> 
> Dave S.
> 
> Russ Housley wrote:
> 
> > Cameron:
> >
> > It is absolutely critical that private OIDs are obtained from legitimate
> > authorities!  There are two basic strategies for obtaining legitimate
> > OIDs.  The first strategy is to register the objects with an
> > authority.  This strategy is very convenient if the PKI uses a small number
> > of relatively stable OIDs to represent certificate policies.  The second
> > strategy is to obtain an arc from an authority and assign OIDs as
> > needed.  This strategy may be preferred if policies are less stable or many
> > OIDs are needed.
> >
> > ANSI is the registration authority for the US for organization names under
> > the global registration process established by ISO and ITU.  A fact sheet
> > with links to an application form is located at the ANSI web site
> > (http://web.ansi.org/public/services/reg_org.html).  The ANSI OID arc for
> > organizations is 2.16.840.1.  ANSI charges a fee for OID arc
> > assignments.  It takes approximately two weeks to receive the assigned OID
> > arc from ANSI.  ANSI will assign a number (NEWNUM), creating a new OID arc:
> > 2.16.840.1.NEWNUM.
> >
> > In most countries, the national standards association maintains an OID
> > registry.  As with the ANSI arc, these are generally arcs assigned under
> > the OID 2.16.  It may take some investigation to find the OID authority for
> > a particular country.  The addresses for ISO national member bodies may be
> > found at http://www.iso.ch/addresse/membodies.html.  The information
> > includes postal address and electronic mail.  In many cases, a web site is
> > specified as well.
> >
> > Another possible starting point is the International Register of ISO DCC
> > NSAP schemes.  NSAP stands for Network Service Access Point, and is used in
> > various international standards.  The registry for schemes may be obtained
> > at http://www.fei.org.uk/fei/dcc-nsap.htm.  The web site currently lists
> > contact information for thirteen naming authorities, some of which will
> > also assign OIDs.
> >
> > The Internet Assigned Numbers Authority (IANA) assigns private enterprise
> > numbers, which are OIDs, in the arc 1.3.6.1.4.1.  IANA has assigned arcs to
> > over 7,500 companies to date.  The application page is located at
> > http://www.iana.org/forms.html, under Private Enterprise Numbers.  The IANA
> > usually takes about one week.  An OID from IANA is free.  IANA will assign
> > a number (NEWNUM) so that the new OID arc will be 1.3.6.1.4.1.NEWNUM.
> >
> > The U.S. Federal Government maintains the Computer Security Objects
> > Registry (CSOR).  The CSOR is the naming authority for the arc
> > 2.16.840.1.101.3, and is currently registering objects for security labels,
> > cryptographic algorithms, and certificate policies.  The certificate policy
> > OIDs are defined in the arc 2.16.840.1.101.3.2.1.  The CSOR provides policy
> > OIDs to agencies of the U.S. Federal Government.  For more information
> > about the CSOR, see http://csrc.nist.gov/csor/.  For more information on
> > OIDs for certificate policies, see http://csrc.nist.gov/csor/pkireg.htm.
> >
> > Good luck,
> >     Russ
> >
> > At 04:20 PM 2/26/2001 -0800, Cameron Smith wrote:
> > >(Pardon my ignorant question and wide distribution, but I don't know where
> > >else to turn.)
> > >
> > >How does one obtain/register a Certificate Policy OID for an organization?
> > >
> > >Regards,
> > >
> > >Cameron
> > >
> > >--
> > >Cameron Smith
> > >PKI Security Analyst
> > >Symantec Corporation
> 
> --
> David Simonetti
> Securify (www.securify.com), 410-356-2260

References:
- Re: Registering a Certificate Policy OID
  - From: Russ Housley
- Re: Registering a Certificate Policy OID
  - From: David Simonetti

Prev by Date: Re: Open Issue in Part1: path length constraints
Next by Date: Problem with certificate validation with CRL?
Previous by thread: Re: Registering a Certificate Policy OID
Next by thread: Re: Registering a Certificate Policy OID
Index(es):
- Date
- Thread