[Cryptography-dev] Re: Is there a limitation on OIDs for x509.SubjectAlternativeName([x509.RegisteredID(value)])

Tue, 09 Dec 2025 10:36:51 -0800 

Paul,
Thank you for this response.  I got the 99. approach from someone who's company is all PKI and did some of this "years ago".  Probably when the openssl code was not well enforcing rules like x.660. 


I can just use the ICAO arc of 1.3.27 and look more legit.  Problem with 
1.3.27 is the admin has long since left this world, and the process to 
assign a new person, leveraging a dead email runs against ICAO internal 
processes and they have been stuck with this, only creating internally 
(poorly) documenting OIDs for a couple years now....



So ICAO doc 10169 is their CP template that includes LOTs of OIDs. 
Registered no where else...  :)


Anyway, I can proceed with my testing.

Thanks

On 12/9/25 12:59 PM, Paul Kehrer via Cryptography-dev wrote:

OIDs have encoding rules and don't allow arbitrary values near the top 
level. For arc 0 and arc 1 the first level sub-arc can't be >39. Take 
a look at https://www.itu.int/rec/T-REC-X.660-201107-I if you're 
interested in learning more.


-Paul (reaperhulk)


On Tue, Dec 9, 2025 at 8:36 AM Robert Moskowitz via Cryptography-dev 
<[email protected]> wrote:


    I have been having problems with what OIDs are allowed for
    RegisteredID.  I do not see any limitation on OIDs here in
    rfc5280, yet an OID like 99.15854644 throws a;
    ValueError: error parsing asn1 value: ParseError { kind:
    InvalidValue }

    1.15854644 fails but 1.3.15854644 works.  Like there is some
    internal table, that I don't believe is in openssl is limiting
    what I put in here.

    Oh, 15854644 is F1EC34 which is a 24-bit Aircraft Number and
    RegisteredID seems a good place (other than cn=24anF1EC34).

    thank you
    _______________________________________________
    Cryptography-dev mailing list -- [email protected]
    To unsubscribe send an email to [email protected]
    https://mail.python.org/mailman3//lists/cryptography-dev.python.org
    Member address: [email protected]


_______________________________________________
Cryptography-dev mailing list [email protected]
To unsubscribe send an email [email protected]
https://mail.python.org/mailman3//lists/cryptography-dev.python.org
Member address:[email protected]

_______________________________________________
Cryptography-dev mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/cryptography-dev.python.org
Member address: [email protected]






















					Reply via email to