Re: Does this PKITS Test cert conform to RFC 3280 ?

Subject: Re: Does this PKITS Test cert conform to RFC 3280 ?
From: "David A. Cooper" <david.cooper@nist.gov>
Date: Thu, 02 Oct 2003 10:53:28 -0400
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
In-Reply-To: <3F7A18CB.1060809@aol.com>
References: <3F7A18CB.1060809@aol.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030630


Nelson,

It was not my intention to make any of the attribute values in names 
longer than allowed by the standard.  I simply wasn't counting the 
number of characters in the names that I was creating and was not 
thinking about these bounds at the time.

I have changed the subject name in certificate mentioned below to 
"cn=Valid Rollover PrintableString to UTF8String EE Cert Test10, ..." so 
that it is now less than 64 characters long.

I will be regenerating the test data in the near future and will post 
new data and updated test documentation as soon as it is ready.

Thanks,

Dave

Nelson Bolyard wrote:

>The EE cert for test 4.3.10, which is supplied in the file named
>ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt, has a
>commonName attribute in the Subject Name that is 71 characters long.
>
>The question is: does that cert conform to RFC 3280 (?), or does
>the length of that common name exceed the RFC's upper bounds?
>
>I have some code that presently rejects that cert because of the
>common name length exceeding the upper bound.  Is that code enforcing
>the wrong bound?  Or is this cert exceeding the bound?
>
>The commonName in question is:
>
>Valid Rollover from PrintableString to UTF8String EE Certificate Test10
>
>On page 104, RFC 3280 defines upper bounds.  Here is an excerpt:
>
> > --  specifications of Upper Bounds MUST be regarded as mandatory
> > --  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
> > --  Upper Bounds
>
> > ub-common-name INTEGER ::= 64
>
> > ub-common-name-length INTEGER ::= 64
>
>Those upper bounds are referenced in the definitions of
>X520CommonName (on page 94) and CommonName (on page 101).  E.g.
>
> > X520CommonName ::= CHOICE {
> >       teletexString     TeletexString   (SIZE (1..ub-common-name)),
> >       printableString   PrintableString (SIZE (1..ub-common-name)),
> >       universalString   UniversalString (SIZE (1..ub-common-name)),
> >       utf8String        UTF8String      (SIZE (1..ub-common-name)),
> >       bmpString         BMPString       (SIZE (1..ub-common-name)) }
>
>But on page 19, RFC 3280 defines the size of a DirectoryString as
>
> > DirectoryString ::= CHOICE {
> >          teletexString           TeletexString (SIZE (1..MAX)),
> >          printableString         PrintableString (SIZE (1..MAX)),
> >          universalString         UniversalString (SIZE (1..MAX)),
> >          utf8String              UTF8String (SIZE (1..MAX)),
> >          bmpString               BMPString (SIZE (1..MAX)) }
>
>and Appendix B tells us (page 113):
>
> >  The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
> >  constructs.  A valid ASN.1 sequence will have zero or more entries.
> >  The SIZE (1..MAX) construct constrains the sequence to have at least
> >  one entry.  MAX indicates the upper bound is unspecified.
> >  Implementations are free to choose an upper bound that suits their
> >  environment.
>
>So, which is the proper upper bound for this common name?
>
>If this cert is exceeding the relevant bound, will a replacement cert
>be created that does not?
>
>Regards,
>
>Nelson Bolyard
>  
>

References:
- Does this PKITS Test cert conform to RFC 3280 ?
  - From: "Nelson Bolyard" <misterssl@aol.com>

Prev by Date: Does this PKITS Test cert conform to RFC 3280 ?
Next by Date: Updated PKITS test data available
Prev by thread: Does this PKITS Test cert conform to RFC 3280 ?
Next by thread: NIST servers down

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov