[cabfpub] RFC5280

"Barreira Iglesias, Iñigo" i-barreira at izenpe.eus
Thu Feb 25 08:15:30 UTC 2016

The rule of thumb for this use to cut from the right when reached the 64 character or advise the customer of the issue and ask for another name to be included in the certificate. We face the problem every day because even for longer names, everything has to go in 2 languages, Spanish and basque, so it´s even worst than your expectations. But I wouldn´t go "against" RFC 5280 but ask PKIX for an update to allow more characters, but we all know that we´re not having an agree on this because, which should be the new length? 100? 150? No limit?

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.eus 

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Geoff Keating
Enviado el: miércoles, 24 de febrero de 2016 23:25
Para: Jeremy Rowley
CC: Stephen Davidson; public at cabforum.org
Asunto: Re: [cabfpub] RFC5280

> On 24 Feb 2016, at 1:19 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> Exactly - there are a lot of these. Should we throw it in the OU and 
> split it up over multiple lines and put the O field in as " Ecole 
> Nationale Supérieure"?  There isn't a lot of guidance in the BRs with 
> respect to these long names.

I would suggest using the EV guideline:

If the combination of names or the organization name by itself exceeds 64 characters, the CA MAY abbreviate parts of the organization name, and/or omit non-material words in the organization name in such a way that the text in this field does not exceed the 64-character limit; provided that the CA checks this field in accordance with section 11.12.1 and a Relying Party will not be misled into thinking that they are dealing with a different organization. In cases where this is not possible, the CA MUST NOT issue the EV Certificate.

Maybe we should move this into the BRs?  Or some simplified version of it that doesn’t drag in 11.12.1? 

More information about the Public mailing list