[cabfpub] EV Gudelines section 9.2.5 & X.520

Peter Bowen pzb at amzn.com
Thu Jun 16 13:52:28 MST 2016 

On today’s validation working group call, there was a question about how X.520 related to the attributes defined in section 9.2.5 of the EV Guidelines.

This section says:

"Locality (if required):
subject:jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1) 
ASN.1 - X520LocalityName as specified in RFC 5280

State or province (if required):
subject:jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2)
ASN.1 - X520StateOrProvinceName as specified in RFC 5280 

Country:
subject:jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3) 
ASN.1 – X520countryName as specified in RFC 5280"

The ASN.1 definitions all reference RFC 5280 and are defined in Appendix A.  They are copied at the end of this email.  RFC 5280 also says " The DirectoryString type is defined as a choice of PrintableString, TeletexString, BMPString, UTF8String, and UniversalString.  CAs conforming to this profile MUST use either the PrintableString or UTF8String encoding of DirectoryString”

Taken together, this means:

jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3) must be a PrintableString with two characters which together are a “alpha 2” code defined in ISO 3166 Part 1.
jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2), if included, should be either a PrintableString or UTF8String and must contain at least 1 and not more than 128 characters.
jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1), if included, shoud be either a PrintableString or UTF8String and must contain at least 1 and not more than 128 characters.

The appropriate values for these attributes, and when one needs to include the the latter two, is defined in section 9.2.5 as well.

Does this help clarify how these attributes work?

Thanks,
Peter




-- Naming attributes of type X520LocalityName

id-at-localityName      AttributeType ::= { id-at 7 }

-- Naming attributes of type X520LocalityName:
--   X520LocalityName ::= DirectoryName (SIZE (1..ub-locality-name))
--
-- Expanded to avoid parameterized type:
X520LocalityName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-locality-name)),
      printableString   PrintableString (SIZE (1..ub-locality-name)),
      universalString   UniversalString (SIZE (1..ub-locality-name)),
      utf8String        UTF8String      (SIZE (1..ub-locality-name)),
      bmpString         BMPString       (SIZE (1..ub-locality-name)) }

-- Naming attributes of type X520StateOrProvinceName

id-at-stateOrProvinceName AttributeType ::= { id-at 8 }

-- Naming attributes of type X520StateOrProvinceName:
--   X520StateOrProvinceName ::= DirectoryName (SIZE (1..ub-state-name))
--
-- Expanded to avoid parameterized type:
X520StateOrProvinceName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-state-name)),
      printableString   PrintableString (SIZE (1..ub-state-name)),
      universalString   UniversalString (SIZE (1..ub-state-name)),
      utf8String        UTF8String      (SIZE (1..ub-state-name)),
      bmpString         BMPString       (SIZE (1..ub-state-name)) }

-- Naming attributes of type X520countryName (digraph from IS 3166)

id-at-countryName       AttributeType ::= { id-at 6 }

X520countryName ::=     PrintableString (SIZE (2))

-- Upper Bounds

ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128

More information about the Public mailing list