Skip to main content

Liaison statement
Liaison statement to IETF on RFC 5280 attribute length limitations

State Posted
Submitted Date 2022-01-11
From Group ESTI-TC-ESI
From Contact Russ Housley
To Group lamps
To Contacts Russ Housley <housley@vigilsec.com>
Tim Hollebeek <tim.hollebeek@digicert.com>
Cc Tim Hollebeek <tim.hollebeek@digicert.com>
Russ Housley <housley@vigilsec.com>
Benjamin Kaduk <kaduk@mit.edu>
Roman Danyliw <rdd@cert.org>
Limited Additional Mechanisms for PKIX and SMIME Discussion List <spasm@ietf.org>
Purpose For information
Attachments ESI(21)000140r1_Liaison_statement_to_IETF_on_RFC_5280_attribute_length_limit.docx
Body
ETSI brings to the attention of IETF that the limitation of the length of
certain attributes indicated in RFC 5280 Annex A.1 mandatory "Upper bounds"
which make the document inappropriate for current use. RFC 5280 is widely
referenced as a requirement or recommendation in many internationally
recognised PKI specifications including:

-       CA/Browser Forum guidelines for the Issuance And Management of Extended
Validation Certificates -       ETSI EN 319 412-x  Electronic Signatures and
Infrastructures (ESI); Certificate Profiles

These specifications include requirements for certain attributes to be based
upon full names as held in official records / registers.  In particular, this
applies to registered names held in X.509 attributes: -       subject:
organizationName -       subject: givenName -       subject: surname

and can also apply to:
-       subject: commonName
-       subject: pseudonym
-       subject: organizationalUnitName

In a number of cases the full name as held in official records / registers is
larger than the than the limit stated in RFC 5280 Annex A.1 under "Upper
bounds".  For example, an analysis of a sample of 5000 from 2 million
registrations of Legal Entity Identifiers, as made available through the Global
Legal Entity Identifier Foundation (see https://search.gleif.org/#/search/),
showed 110 cases where the identifier is more than 64 characters).  Thus,
roughly 2% of organization identifiers officially registered exceed the
mandatory limit indicated in RFC 5280 stated as follows:

--  specifications of Upper Bounds MUST be regarded as mandatory
--  from Annex B of ITU-T X.411 Reference Definition of MTS Parameter
--  Upper Bounds
:
:
ub-organization-name INTEGER ::= 64

Similar problems have been reported with the use of European national registers
for personal and organization names.

Since 11/2008 the attributes used in certificate subject names, as defined in
X.520, have been changed from being size limited to an "
UnboundedDirectoryString".  It is considered that modern PKI implementations
support the X.520 "UnboundedDirectoryString" for name attributes.

ETSI strongly urges IETF to supersede RFC 5280 with a specification including
limits based on X.520, instead of X.411 Annex B which has not been updated
since 1999.  Until then ETSI is having to give specific exclusions to its
references to RFC 5280 which is causing unnecessary concern with the adoption
of PKIs based on IETF RFCs.