[OASIS Issue Tracker] Commented: (IMI-17) The values to use from acertificate to construct the Client Pseudonym need clarification

[OASIS Issues Tracker <workgroup_mailer@lists.oasis-open.org>]

    [ http://tools.oasis-open.org/issues/browse/IMI-17?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=10209#action_10209 ] 

Scott Cantor commented on IMI-17:
---------------------------------

Based on the ed-08 draft PDF, I would suggest:

Insert after line 2106:

The OBJECT IDENTIFIERS of the significant directory attributes that may be found in the DN are as follows:

...insert table of short name -> OID mappings for the CN, O, L, S, and C attributes...

Note that the abbreviated names used in this specification may not correspond to those used by particular software but the underlying OBJECT IDENTIFIER of each attribute is unambiguous. Implementations MUST use the abbreviated names shown here during the computations described in this section.


> The values to use from a certificate to construct the Client Pseudonym need clarification
> -----------------------------------------------------------------------------------------
>
>                 Key: IMI-17
>                 URL: http://tools.oasis-open.org/issues/browse/IMI-17
>             Project: OASIS Identity Metasystem Interoperability (IMI) TC
>          Issue Type: Bug
>          Components: Editorial
>    Affects Versions: IMI 1.0 PR1
>            Reporter: John Bradley 
>            Assignee: Michael Jones
>            Priority: Minor
>             Fix For: IMI 1.0 CD3
>
>
> The bug is that it is not clear that the value to place in ST= is the  
> one in OID 2.5.4.8 
> If I am a programer and the openSSL lib gives me  
> O=, L=, ST=, C= , CN= etc.
> I may not understand that I need to put the value of ST in |S=. I may  
> think that the value of S= in the cert is an empty string and use that.
> In line 2102 it references RFC2459 if you check the RFC Appendix A
> The values are:
> id-at-organizationName 		OID = 2.5.4.10
> id-at-localityName 		OID = 2.5.4.7
> id-at-stateOrProvinceName 	OID = 2.5.4.8
> Line 2018 refers to id-at-stateOrProvinceName as ST from RFC 2256
> Line 2107 uses the LDIF names from RFC 2256 not the names below in  
> parenthesis which are the RFC2459 names.
> Starting at Line 2106 to be correct should be:
> 2106 CN=string, [OU=string, ...,] O=string, L=string, ST=string,  
> C=string
> 2107 For an end-entity certificate, the values of the attribute types  
> O (id-at-organizationName), L (id-at-localityName), ST
> 2108 (id-at-stateOrProvinceName) and C (id-at-countryName) together  
> uniquely identify the organization to which the
> 2109 end-entity identified by the certificate belongs. These attribute  
> types are collectively referred to as the
> 2110 organizational identifier attributes here. The RP Identifier is  
> constructed using these organizational
> 2111 identifier attributes as described below.
> Line 2124 should be something like:
> |O="|O="id-at-organizationName"|L="id-at-localityName"|S="id-at- 
> stateOrProvinceName"|C="id-at-countryName"|
> Where id-at-organizationName, id-at-localityName, id-at- 
> stateOrProvinceName, and id-at-countryName are the valuses from the  
> Certificate DN (Distinguished Name)
> We should check the language SAML used.  They have the same issue referring to things in certs where the name of the value depends on who you are talking to.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira