[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: names in certificates for IPSec...?
I just discovered that these numbers are also defined in draft-ietf-pkix-ipki-part1-10.txt, as well as OID's for them. So I'll change the text to say "128 or the documented max, see pkix part 1", which seems to be the net of what I want to add to the subject.
I've submitted my draft through channels so it should pop out the other end "in 5 days", if the procedure works as documented. I'm working on the next round and trying to address comments from the list as I go along.
At 09:58 AM 9/8/98 -0700, you wrote:
>Remember that most DN attributes have an upperbound values defined. The
>ones you mentioned have upperbounds defined in Annex C of the X.520
>document.
>
>Alex
>
>Annex C
>
>Upper bounds
>(This annex does not form an integral part of this Recommendation |
>International Standard)
>This annex includes all of the suggested upper bound value constraints
>used in these Directory Specifications, in the form of the ASN.1 module
>UpperBounds.
>
>
>UpperBounds {joint-iso-ccitt ds(5) module(1) upperBounds(10) 2}
>DEFINITIONS ::=
>BEGIN
>-- EXPORTS All --
>-- The types and values defined in this module are exported for use in
>the other ASN.1 modules contained
>-- within the Directory Specifications, and for the use of other
>applications which will use them to access
>-- Directory services. Other applications may use them for their own
>purposes, but this will not constrain
>-- extensions and modifications needed to maintain or improve the
>Directory service.
>
>ub-answerback INTEGER ::= 8
>ub-business-category INTEGER ::= 128
>ub-common-name INTEGER ::= 64
>ub-country-code INTEGER ::= 4
>ub-description INTEGER ::= 1024
>ub-destination-indicator INTEGER ::= 128
>ub-directory-string-first-component-match INTEGER ::= 32768
>ub-international-isdn-number INTEGER ::= 16
>ub-knowledge-information INTEGER ::= 32768
>ub-locality-name INTEGER ::= 128
>ub-match INTEGER ::= 128
>ub-name INTEGER ::= 32768
>ub-organization-name INTEGER ::= 64
>ub-organizational-unit-name INTEGER ::= 64
>ub-physical-office-name INTEGER ::= 128
>ub-post-office-box INTEGER ::= 40
>ub-postal-code INTEGER ::= 40
>ub-postal-line INTEGER ::= 6
>ub-postal-string INTEGER ::= 30
>ub-schema INTEGER ::= 1024
>ub-serial-number INTEGER ::= 64
>ub-state-name INTEGER ::= 128
>ub-street-address INTEGER ::= 128
>ub-surname INTEGER ::= 64
>ub-tag INTEGER ::= 64
>ub-telephone-number INTEGER ::= 32
>ub-teletex-terminal-id INTEGER ::= 1024
>ub-telex-number INTEGER ::= 14
>ub-title INTEGER ::= 64
>ub-user-password INTEGER ::= 128
>ub-x121-address INTEGER ::= 15
>END
>
>Rodney Thayer wrote:
>>
>> Anyone have ideas on how large a name for an IPSec certificate should be? How many parts (surname, organization, organizational unit, country, etc.) should it have? How big should each entry be allowed to be?
>>
>> I am interested in what IPSec users and implementors want, _not_ what certificate engine vendors are selling. For example, the fact some CA's jam copyright notices, nutritional information, and galactic polar coordinates into these things is not relevant.
>>
>> I was thinking of this:
>>
>> max 16 entries
>> max 256 characters each entry
>>
>> Also, does this work for non-US names? I am not sure how non-US names should be stored in this, and I was present when someone from Japan pointed out we kind of got this wrong in the Open PGP work at the IETF meeting.
>
References: