Does this PKITS Test cert conform to RFC 3280 ?

Subject: Does this PKITS Test cert conform to RFC 3280 ?
From: "Nelson Bolyard" <misterssl@aol.com>
Date: Tue, 30 Sep 2003 16:59:07 -0700
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Organization: AOL Mountain View


The EE cert for test 4.3.10, which is supplied in the file named
ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt, has a
commonName attribute in the Subject Name that is 71 characters long.

The question is: does that cert conform to RFC 3280 (?), or does
the length of that common name exceed the RFC's upper bounds?

I have some code that presently rejects that cert because of the
common name length exceeding the upper bound.  Is that code enforcing
the wrong bound?  Or is this cert exceeding the bound?

The commonName in question is:

Valid Rollover from PrintableString to UTF8String EE Certificate Test10

On page 104, RFC 3280 defines upper bounds.  Here is an excerpt:

 > --  specifications of Upper Bounds MUST be regarded as mandatory
 > --  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
 > --  Upper Bounds

 > ub-common-name INTEGER ::= 64

 > ub-common-name-length INTEGER ::= 64

Those upper bounds are referenced in the definitions of
X520CommonName (on page 94) and CommonName (on page 101).  E.g.

 > X520CommonName ::= CHOICE {
 >       teletexString     TeletexString   (SIZE (1..ub-common-name)),
 >       printableString   PrintableString (SIZE (1..ub-common-name)),
 >       universalString   UniversalString (SIZE (1..ub-common-name)),
 >       utf8String        UTF8String      (SIZE (1..ub-common-name)),
 >       bmpString         BMPString       (SIZE (1..ub-common-name)) }

But on page 19, RFC 3280 defines the size of a DirectoryString as

 > DirectoryString ::= CHOICE {
 >          teletexString           TeletexString (SIZE (1..MAX)),
 >          printableString         PrintableString (SIZE (1..MAX)),
 >          universalString         UniversalString (SIZE (1..MAX)),
 >          utf8String              UTF8String (SIZE (1..MAX)),
 >          bmpString               BMPString (SIZE (1..MAX)) }

and Appendix B tells us (page 113):

 >  The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
 >  constructs.  A valid ASN.1 sequence will have zero or more entries.
 >  The SIZE (1..MAX) construct constrains the sequence to have at least
 >  one entry.  MAX indicates the upper bound is unspecified.
 >  Implementations are free to choose an upper bound that suits their
 >  environment.

So, which is the proper upper bound for this common name?

If this cert is exceeding the relevant bound, will a replacement cert
be created that does not?

Regards,

Nelson Bolyard

Follow-Ups:
- Re: Does this PKITS Test cert conform to RFC 3280 ?
  - From: "David A. Cooper" <david.cooper@nist.gov>

Prev by Date: NIST servers down
Next by Date: Re: Does this PKITS Test cert conform to RFC 3280 ?
Prev by thread: Re: LDAP server for PKITS data unavailable
Next by thread: Re: Does this PKITS Test cert conform to RFC 3280 ?

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov