[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: names in certificates for IPSec...?
Remember that most DN attributes have an upperbound values defined. The
ones you mentioned have upperbounds defined in Annex C of the X.520
document.
Alex
Annex C
Upper bounds
(This annex does not form an integral part of this Recommendation |
International Standard)
This annex includes all of the suggested upper bound value constraints
used in these Directory Specifications, in the form of the ASN.1 module
UpperBounds.
UpperBounds {joint-iso-ccitt ds(5) module(1) upperBounds(10) 2}
DEFINITIONS ::=
BEGIN
-- EXPORTS All --
-- The types and values defined in this module are exported for use in
the other ASN.1 modules contained
-- within the Directory Specifications, and for the use of other
applications which will use them to access
-- Directory services. Other applications may use them for their own
purposes, but this will not constrain
-- extensions and modifications needed to maintain or improve the
Directory service.
ub-answerback INTEGER ::= 8
ub-business-category INTEGER ::= 128
ub-common-name INTEGER ::= 64
ub-country-code INTEGER ::= 4
ub-description INTEGER ::= 1024
ub-destination-indicator INTEGER ::= 128
ub-directory-string-first-component-match INTEGER ::= 32768
ub-international-isdn-number INTEGER ::= 16
ub-knowledge-information INTEGER ::= 32768
ub-locality-name INTEGER ::= 128
ub-match INTEGER ::= 128
ub-name INTEGER ::= 32768
ub-organization-name INTEGER ::= 64
ub-organizational-unit-name INTEGER ::= 64
ub-physical-office-name INTEGER ::= 128
ub-post-office-box INTEGER ::= 40
ub-postal-code INTEGER ::= 40
ub-postal-line INTEGER ::= 6
ub-postal-string INTEGER ::= 30
ub-schema INTEGER ::= 1024
ub-serial-number INTEGER ::= 64
ub-state-name INTEGER ::= 128
ub-street-address INTEGER ::= 128
ub-surname INTEGER ::= 64
ub-tag INTEGER ::= 64
ub-telephone-number INTEGER ::= 32
ub-teletex-terminal-id INTEGER ::= 1024
ub-telex-number INTEGER ::= 14
ub-title INTEGER ::= 64
ub-user-password INTEGER ::= 128
ub-x121-address INTEGER ::= 15
END
Rodney Thayer wrote:
>
> Anyone have ideas on how large a name for an IPSec certificate should be? How many parts (surname, organization, organizational unit, country, etc.) should it have? How big should each entry be allowed to be?
>
> I am interested in what IPSec users and implementors want, _not_ what certificate engine vendors are selling. For example, the fact some CA's jam copyright notices, nutritional information, and galactic polar coordinates into these things is not relevant.
>
> I was thinking of this:
>
> max 16 entries
> max 256 characters each entry
>
> Also, does this work for non-US names? I am not sure how non-US names should be stored in this, and I was present when someone from Japan pointed out we kind of got this wrong in the Open PGP work at the IETF meeting.
Follow-Ups:
References: