[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: names in certificates for IPSec...?

To: Rodney Thayer <rodney@tillerman.nu>
Subject: Re: names in certificates for IPSec...?
From: Alex Deacon <alex@verisign.com>
Date: Tue, 08 Sep 1998 09:58:24 -0700
CC: ipsec@tis.com
Organization: VeriSign, Inc.
References: <199809042239.SAA02569@2gn.com>
Sender: owner-ipsec@ex.tis.com

Remember that most DN attributes have an upperbound values defined.  The
ones you mentioned have upperbounds defined in Annex C of the X.520
document.  

Alex

Annex C

Upper bounds
(This annex does not form an integral part of this Recommendation |
International Standard)
This annex includes all of the suggested upper bound value constraints
used in these Directory Specifications, in the form of the ASN.1 module
UpperBounds.


UpperBounds {joint-iso-ccitt ds(5) module(1) upperBounds(10) 2}
DEFINITIONS ::=
BEGIN
-- EXPORTS All --
-- The types and values defined in this module are exported for use in
the other ASN.1 modules contained 
-- within the Directory Specifications, and for the use of other
applications which will use them to access 
-- Directory services. Other applications may use them for their own
purposes, but this will not constrain
-- extensions and modifications needed to maintain or improve the
Directory service.

ub-answerback	INTEGER	::=	8
ub-business-category	INTEGER	::=	128
ub-common-name	INTEGER	::=	64
ub-country-code	INTEGER	::=	4
ub-description	INTEGER	::=	1024
ub-destination-indicator	INTEGER	::=	128
ub-directory-string-first-component-match 	INTEGER	::=	32768
ub-international-isdn-number	INTEGER	::=	16
ub-knowledge-information	INTEGER	::=	32768
ub-locality-name	INTEGER	::=	128
ub-match	INTEGER	::=	128
ub-name	INTEGER	::=	32768
ub-organization-name	INTEGER	::=	64
ub-organizational-unit-name	INTEGER	::=	64
ub-physical-office-name	INTEGER	::=	128
ub-post-office-box	INTEGER	::=	40
ub-postal-code	INTEGER	::=	40
ub-postal-line	INTEGER	::=	6
ub-postal-string	INTEGER	::=	30
ub-schema	INTEGER	::=	1024
ub-serial-number	INTEGER	::=	64
ub-state-name	INTEGER	::=	128
ub-street-address	INTEGER	::=	128
ub-surname	INTEGER	::=	64
ub-tag	INTEGER	::=	64
ub-telephone-number	INTEGER	::=	32
ub-teletex-terminal-id	INTEGER	::=	1024
ub-telex-number	INTEGER	::=	14
ub-title	INTEGER	::=	64
ub-user-password	INTEGER	::=	128
ub-x121-address	INTEGER	::=	15
END

Rodney Thayer wrote:
> 
> Anyone have ideas on how large a name for an IPSec certificate should be?  How many parts (surname, organization, organizational unit, country, etc.) should it have?  How big should each entry be allowed to be?
> 
> I am interested in what IPSec users and implementors want, _not_ what certificate engine vendors are selling.  For example, the fact some CA's jam copyright notices, nutritional information, and galactic polar coordinates into these things is not relevant.
> 
> I was thinking of this:
> 
> max 16 entries
> max 256 characters each entry
> 
> Also, does this work for non-US names?  I am not sure how non-US names should be stored in this, and I was present when someone from Japan pointed out we kind of got this wrong in the Open PGP work at the IETF meeting.

Follow-Ups:

Re: names in certificates for IPSec...?

From: Rodney Thayer <rodney@tillerman.nu>

References:

names in certificates for IPSec...?

From: Rodney Thayer <rodney@tillerman.nu>

Prev by Date: Digest length truncation, "algorithm differentiator"?
Next by Date: IPsec errata
Prev by thread: Re: names in certificates for IPSec...?
Next by thread: Re: names in certificates for IPSec...?
Index(es):
- Main
- Thread