OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

imi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Created: (IMI-17) The values to use from acertificate to construct the Client Pseudonym need clarification

The values to use from a certificate to construct the Client Pseudonym need clarification
-----------------------------------------------------------------------------------------

                 Key: IMI-17
                 URL: http://tools.oasis-open.org/issues/browse/IMI-17
             Project: OASIS Identity Metasystem Interoperability (IMI) TC
          Issue Type: Bug
          Components: Editorial
    Affects Versions: IMI 1.0 PR1
            Reporter: John Bradley 
            Assignee: Marc Goodner
            Priority: Minor


The bug is that it is not clear that the value to place in ST= is the  
one in OID 2.5.4.8 

If I am a programer and the openSSL lib gives me  
O=, L=, ST=, C= , CN= etc.

I may not understand that I need to put the value of ST in |S=. I may  
think that the value of S= in the cert is an empty string and use that.

In line 2102 it references RFC2459 if you check the RFC Appendix A
The values are:
id-at-organizationName 		OID = 2.5.4.10
id-at-localityName 		OID = 2.5.4.7
id-at-stateOrProvinceName 	OID = 2.5.4.8
Line 2018 refers to id-at-stateOrProvinceName as ST from RFC 2256
Line 2107 uses the LDIF names from RFC 2256 not the names below in  
parenthesis which are the RFC2459 names.
Starting at Line 2106 to be correct should be:
2106 CN=string, [OU=string, ...,] O=string, L=string, ST=string,  
C=string
2107 For an end-entity certificate, the values of the attribute types  
O (id-at-organizationName), L (id-at-localityName), ST
2108 (id-at-stateOrProvinceName) and C (id-at-countryName) together  
uniquely identify the organization to which the
2109 end-entity identified by the certificate belongs. These attribute  
types are collectively referred to as the
2110 organizational identifier attributes here. The RP Identifier is  
constructed using these organizational
2111 identifier attributes as described below.

Line 2124 should be something like:
|O="|O="id-at-organizationName"|L="id-at-localityName"|S="id-at- 
stateOrProvinceName"|C="id-at-countryName"|
Where id-at-organizationName, id-at-localityName, id-at- 
stateOrProvinceName, and id-at-countryName are the valuses from the  
Certificate DN (Distinguished Name)

We should check the language SAML used.  They have the same issue referring to things in certs where the name of the value depends on who you are talking to.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]