Richard Levitte - VMS Whacker wrote:
>
> I wonder, is there any document somewhere that can tell us how the
> different objects should really be named?
Currently there is no such central document since everybody is free
to define OIDs after getting a OID arc. Not even a central registry
exists. For registering OIDs it's sufficient that the owner of the
parent OID publishes it and holds at least a table of his defined
OIDs.
> As it currently looks, most names are created ad-hoc.
Yes, naming of attribute types is somewhat a mess in OpenSSL.
> I've just been hit with a problem where the naming of OID
> 1.2.840.113549.1.9.1 varies.
dumpasn1.cfg says "emailAddress".
RFC2459 appendix A says:
-------------------------------------------------------------
pkcs-9 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
emailAddress AttributeType ::= { pkcs-9 1 }
-------------------------------------------------------------
In openssl.cnf emailAdress is used in the request and policy
sections.
For certificates I'm currently using Peter Gutmann's dumpasn1.cfg.
Would be nice to have support for this file in OpenSSL.
Another problem: I would like to map emailAdress
(1.2.840.113549.1.9.1) to the mail attribute commonly used in
inetOrgPerson entries on LDAP servers. But it's defined like this
e.g. in OpenLDAP:
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
Another thing you can see in this example is the fact that you can
have several name aliases for an attribute type. AFAIK it's
completely up to the implementation to maintain a local name
registry for OIDs.
> X509_NAME_oneline(), it's displayed as "/Email=...". Other products,
> like the JDK, seem to name it "/EmailAddress=...". As you can see,
> that will create a problem when you try to use the representation used
> by one system in another system.
The /ATTR= writing should be abandoned anyway since it's not a
proper string representation (no proper escaping of special chars).
> In a more general sense, this has hit me as a problem when I hacked
> crypto/objects/objects.txt, because the same name was used for several
> objects or arcs. This tells me that this kind of flat namespace
> doesn't really work, and with time this will only get worse.
> Comments?
IMHO it's up to the application to maintain a OID registry
(eventually with name aliases). Names of attribute types should only
be used when displaying or processing user's input.
Ciao, Michael.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
