[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Subject/Issuer Name Population
I have attached proposed text for the issuer and subject name sections.
Highlights:
(1) issuer name is required (that is, may not be an empty SEQUENCE).
(2) subject name is required for CA certs. (This means you never chain off
altnames!)
(3) Name comparison rules are greatly relaxed from the X.520 text. Binary
comparison of attribute values is permitted for everything except
PrintableString. That is, no white space compression or case conversion in
BMP or UTF8.
(Rationale for PrintableString: It has already been implemented, and is
used in practically all certificates. Upper and lowercase country codes,
etc. will break if we don't support it.)
Please take the time to review the text.
4.1.2.4 Issuer Name
The issuer name identifies the entity who has signed (and issued the
certificate). The issuer identity must be carried in the issuer name
field. The issuer name field shall contain an X.500 distinguished
name (DN). The issuer field is defined as the X.501 type Name. Name
is defined by the following ASN.1 structures:
Name ::= CHOICE {
RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::=
SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY DEFINED BY AttributeType
DirectoryString ::= CHOICE {
teletexString TeletexString (SIZE (1..MAX)),
printableString PrintableString (SIZE (1..MAX)),
universalString UniversalString (SIZE (1..MAX)),
utf8String UTF8String (SIZE (1.. MAX)),
bmpString BMPString (SIZE (1..MAX)) }
The Name describes a hierarchical name composed of attributes, such
as country name, and corresponding values, such as US. The type of
the component AttributeValue is determined by the AttributeType; in
general it will be a DirectoryString.
The DirectoryString type is defined as a choice of PrintableString,
TeletexString, BMPString UTF8String and UniversalString. When creat-
ing a distinguished name, including their own, conforming CAs shall
choose from these options as follows:
(a) if the character set is sufficient, the string will be
represented as a PrintableString;
(b) failing (a), if the BMPString character set is sufficient the
string shall be represented as a BMPString; and
(c) failing (a) and (b), the string shall be represented as a
UTF8String.
The TeletexString and UniversalString are included for backward com-
patibility, and should not be used for certificates for new subjects.
However, these types may be used in certificates where the name was
previously established. Certificate users should be prepared to
receive certificates with these string types.
Standard sets of attributes have been defined in the X.500 series of
specifications. Where CAs issue certificates with X.501 type names,
it is recommended that these attributes types be used.
Certificate users must be prepared to process the issuer dis-
tinguished name and subject distinguished name (Section 4.1.2.6)
fields to perform name chaining for certification path validation
(see Section 7.) Name chaining is performed by matching the issuer
distinguished name in one certificate with the subject name in
another.
This specification requires only a subset of the name comparison
functionality specified in X.501. The requirements for conforming
implementations are as follows:
(a) attribute values encoded in different string types (e.g.,
PrintableString and BMPString) may be assumed to represent dif-
ferent strings;
(b) attribute values in string types other than PrintableString
are case sensitive (this permits matching of attribute values as
binary objects);
(c) attribute values in PrintableString are not case sensitive
(e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and
(d) attribute values in PrintableString are compared after remov-
ing leading and trailing white space and converting internal
strings of one or more consecutive white space characters to a
single space.
These name comparison rules permit a certificate user to validate
certificates issued using languages or encodings unfamiliar to the
certificate user.
4.1.2.5 Validity
(UNCHANGED)
4.1.2.6 Subject Name
The subject name identifies the entity associated with the public key
stored in the subject public key field. The subject identity may be
carried in the subject field and/or the subjectAltName extension. If
the subject is a certification authority (e.g., the basic constraints
extension [see 4.2.1.10] is present and the value of cA is TRUE,)
then the subject identity must be carried in the subject field. If
identity information is present only in the subjectAltName extension
(e.g., a key bound only to an email address or URI), then the subject
name must be an empty sequence and the subjectAltName extension must
be critical.
Where it is non-null, the subject name field shall contain an X.500
distinguished name (DN). The DN must be unique for each subject
entity certified by the one CA as defined by the issuer name field.
(A CA may issue more than one certificate with the same DN to the
same subject entity.)
The subject name field is defined as the X.501 type Name, and shall
follow the encoding rules for the issuer name field (see 4.1.2.4).
When encoding strings as the type PrintableString, conforming CAs
should use mixed case but should not include leading or trailing
white space and should limit internal white space to substrings of a
single space.
Implementations of this specification should be prepared to receive
following X.501 attribute types: country, organization,
organizational-unit, title, locality, state or province name, common
name (e.g., "Tim Polk"), surname, given name, initials, and genera-
tionqualifier (e.g., "Junior" or "IV". The syntax and associated
object identifiers for these attribute types are provided in the
ASN.1 modules in Appendices A. and B.
Legacy implementations exist where an RFC 822 name is embedded in the
subject distinguished name as a PKCS #9 e-mail attribute, which has
the ASN.1 type EmailAddress [PKCS #9]. Conforming implementations
shall not generate new certificates with this attribute, but should
be prepared to receive them. (New certificates must use the
rfc822Name in the subject alternative name field (see 4.2.1.7) to
describe such identities.)
The ASN.1 syntax for EmailAddress and the corresponding OID are sup-
plied below.
EmailAddress ::= IA5String
pkcs-9 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) 9 }
emailAddress OBJECT IDENTIFIER ::= { pkcs-9 1 }