[cabfpub] EV Gudelines section 9.2.5 & X.520

Erwann Abalea Erwann.Abalea at docusign.com
Wed Jun 29 09:02:01 MST 2016 

Bonjour,

I haven’t seen an authoritative definition of these 3 attributes, but always considered them the way Peter described them.

Maybe Microsoft should propose a clear definition, using the syntax from RFC5912, something like this:

id-MS-jurisdictionLocalityName OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 311 60 2 1 1 }
id-MS-jurisdictionStateOrProvinceName OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 311 60 2 1 2 }
id-MS-jurisdictionCountryName OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 311 60 2 1 3 }

at-jurisdictionCountryName ATTRIBUTE ::= {
  TYPE PrintableString (SIZE (2))
  IDENTIFIED BY id-MS-jurisdictionCountryName
}

at-jurisdictionStateOrProvinceName ATTRIBUTE ::= {
  TYPE DirectoryString {ub-state-name}
  IDENTIFIED BY id-MS-jurisdictionStateOrProvinceName
}

at-jurisdictionLocalityName ATTRIBUTE ::= {
  TYPE DirectoryString {ub-locality-name}
  IDENTIFIED BY id-MS-jurisdictionLocalityName
}

DirectoryString is also redefined in RFC5912 to have a size constraint.

Cordialement,
Erwann Abalea

Le 29 juin 2016 à 17:08, 陳立群 <realsky at cht.com.tw<mailto:realsky at cht.com.tw>> a écrit :


    In X.520 as attached file or RFC 5280(https://tools.ietf.org/html/rfc5280) , There are no jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1),
jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2), jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3).  You can use search function to search attached PDF file.


These three OIDs are registered by Microsoft. Please see http://www.alvestrand.no/objectid/1.3.6.1.4.1.311.60.2.1.1.html, http://www.alvestrand.no/objectid/1.3.6.1.4.1.311.60.2.1.2.html and http://www.alvestrand.no/objectid/1.3.6.1.4.1.311.60.2.1.3.html


   Peter referenced EV GL 9.2.5 such as
Naming attributes of type X520LocalityName

id-at-localityName      AttributeType ::= { id-at 7 }

     that id is 2.5.4.

    But Country Name (2.5.4.6), State or Province Name (2.5.4.8) and  Locality Name (2.5.4.7) are appeared in X.520.


Li-Chun CHEN







-----Original Message-----
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Friday, June 17, 2016 4:52 AM
To: CABFPub
Subject: [cabfpub] EV Gudelines section 9.2.5 & X.520

On today’s validation working group call, there was a question about how X.520 related to the attributes defined in section 9.2.5 of the EV Guidelines.

This section says:

"Locality (if required):
subject:jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1)
ASN.1 - X520LocalityName as specified in RFC 5280

State or province (if required):
subject:jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2)
ASN.1 - X520StateOrProvinceName as specified in RFC 5280

Country:
subject:jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3)
ASN.1 – X520countryName as specified in RFC 5280"

The ASN.1 definitions all reference RFC 5280 and are defined in Appendix A.  They are copied at the end of this email.  RFC 5280 also says " The DirectoryString type is defined as a choice of PrintableString, TeletexString, BMPString, UTF8String, and UniversalString.  CAs conforming to this profile MUST use either the PrintableString or UTF8String encoding of DirectoryString”

Taken together, this means:

jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3) must be a PrintableString with two characters which together are a “alpha 2” code defined in ISO 3166 Part 1.
jurisdictionStateOrProvinceName (OID: 1.3.6.1.4.1.311.60.2.1.2), if included, should be either a PrintableString or UTF8String and must contain at least 1 and not more than 128 characters.
jurisdictionLocalityName (OID: 1.3.6.1.4.1.311.60.2.1.1), if included, shoud be either a PrintableString or UTF8String and must contain at least 1 and not more than 128 characters.

The appropriate values for these attributes, and when one needs to include the the latter two, is defined in section 9.2.5 as well.

Does this help clarify how these attributes work?

Thanks,
Peter




-- Naming attributes of type X520LocalityName

id-at-localityName      AttributeType ::= { id-at 7 }

-- Naming attributes of type X520LocalityName:
--   X520LocalityName ::= DirectoryName (SIZE (1..ub-locality-name))
--
-- Expanded to avoid parameterized type:
X520LocalityName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-locality-name)),
      printableString   PrintableString (SIZE (1..ub-locality-name)),
      universalString   UniversalString (SIZE (1..ub-locality-name)),
      utf8String        UTF8String      (SIZE (1..ub-locality-name)),
      bmpString         BMPString       (SIZE (1..ub-locality-name)) }

-- Naming attributes of type X520StateOrProvinceName

id-at-stateOrProvinceName AttributeType ::= { id-at 8 }

-- Naming attributes of type X520StateOrProvinceName:
--   X520StateOrProvinceName ::= DirectoryName (SIZE (1..ub-state-name))
--
-- Expanded to avoid parameterized type:
X520StateOrProvinceName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-state-name)),
      printableString   PrintableString (SIZE (1..ub-state-name)),
      universalString   UniversalString (SIZE (1..ub-state-name)),
      utf8String        UTF8String      (SIZE (1..ub-state-name)),
      bmpString         BMPString       (SIZE (1..ub-state-name)) }

-- Naming attributes of type X520countryName (digraph from IS 3166)

id-at-countryName       AttributeType ::= { id-at 6 }

X520countryName ::=     PrintableString (SIZE (2))

-- Upper Bounds

ub-locality-name INTEGER ::= 128
ub-state-name INTEGER ::= 128

_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任.
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.


<T-REC-X.520-201210-I!!PDF-E.pdf>_______________________________________________
Public mailing list
Public at cabforum.org<mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160629/29765ed5/attachment-0001.html

More information about the Public mailing list