Liaison statement
Liaison statement to IETF on RFC 5280 attribute length limitations
Additional information about IETF liaison relationships is available on the
IETF webpage
and the
Internet Architecture Board liaison webpage.
State | Posted |
---|---|
Submitted Date | 2022-01-11 |
From Group | ESTI-TC-ESI |
From Contact | Russ Housley |
To Group | lamps |
To Contacts | Russ Housley <housley@vigilsec.com> Tim Hollebeek <tim.hollebeek@digicert.com> |
Cc | Tim Hollebeek <tim.hollebeek@digicert.com> Russ Housley <housley@vigilsec.com> Benjamin Kaduk <kaduk@mit.edu> Roman Danyliw <rdd@cert.org> Limited Additional Mechanisms for PKIX and SMIME Discussion List <spasm@ietf.org> |
Purpose | For information |
Attachments | ESI(21)000140r1_Liaison_statement_to_IETF_on_RFC_5280_attribute_length_limit.docx |
Body |
ETSI brings to the attention of IETF that the limitation of the length of certain attributes indicated in RFC 5280 Annex A.1 mandatory "Upper bounds" which make the document inappropriate for current use. RFC 5280 is widely referenced as a requirement or recommendation in many internationally recognised PKI specifications including: - CA/Browser Forum guidelines for the Issuance And Management of Extended Validation Certificates - ETSI EN 319 412-x Electronic Signatures and Infrastructures (ESI); Certificate Profiles These specifications include requirements for certain attributes to be based upon full names as held in official records / registers. In particular, this applies to registered names held in X.509 attributes: - subject: organizationName - subject: givenName - subject: surname and can also apply to: - subject: commonName - subject: pseudonym - subject: organizationalUnitName In a number of cases the full name as held in official records / registers is larger than the than the limit stated in RFC 5280 Annex A.1 under "Upper bounds". For example, an analysis of a sample of 5000 from 2 million registrations of Legal Entity Identifiers, as made available through the Global Legal Entity Identifier Foundation (see https://search.gleif.org/#/search/), showed 110 cases where the identifier is more than 64 characters). Thus, roughly 2% of organization identifiers officially registered exceed the mandatory limit indicated in RFC 5280 stated as follows: -- specifications of Upper Bounds MUST be regarded as mandatory -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter -- Upper Bounds : : ub-organization-name INTEGER ::= 64 Similar problems have been reported with the use of European national registers for personal and organization names. Since 11/2008 the attributes used in certificate subject names, as defined in X.520, have been changed from being size limited to an " UnboundedDirectoryString". It is considered that modern PKI implementations support the X.520 "UnboundedDirectoryString" for name attributes. ETSI strongly urges IETF to supersede RFC 5280 with a specification including limits based on X.520, instead of X.411 Annex B which has not been updated since 1999. Until then ETSI is having to give specific exclusions to its references to RFC 5280 which is causing unnecessary concern with the adoption of PKIs based on IETF RFCs. |