X509 证书中的长 OID 问题
Long OID issue inside X509 certificate
我们有一个 CA 颁发带有“证书策略”扩展名的证书,包括我们的组织public OID。
问题是:不幸的是,组织策略 ID (OID) 太长(OID 的某些部分)无法在某些编程语言中解析,例如走。因此,有许多重要的、众所周知的和熟悉的工具在任何情况下都无法加载或使用我们的证书,例如 SSL/TLS 证书。
我们的下级 CA 也有这个问题。我们正在寻找解决此问题的解决方案。
还有什么方法可以在证书中使用现有的策略吗?喜欢段 OID 或缩短 OID ?
恐怕你运气不好。
RFC 5280 Appendix B 声明以下关于任何对象标识符的内容:
Object Identifiers (OIDs) are used throughout this specification to
identify certificate policies, public key and signature algorithms,
certificate extensions, etc. There is no maximum size for OIDs.
This specification mandates support for OIDs that have arc elements
with values that are less than 2^28, that is, they MUST be between 0
and 268,435,455, inclusive. This allows each arc element to be
represented within a single 32-bit word. Implementations MUST also
support OIDs where the length of the dotted decimal (see Section 1.4
of [RFC4512]) string representation can be up to 100 bytes
(inclusive). Implementations MUST be able to handle OIDs with up to
20 elements (inclusive). CAs SHOULD NOT issue certificates that
contain OIDs that exceed these requirements. Likewise, CRL issuers
SHOULD NOT issue CRLs that contain OIDs that exceed these
requirements.
虽然这些 OID 没有最大大小,但实现不必支持无限大小的 OID。
如果你的OID比较长,那么你的CA需要注意上段倒数第二句。
RFC 的 Section 6.1.3(d)(1)(i) 定义了策略处理,仅引用 匹配 OID。恐怕没有分段或缩短 OID 的概念。
您唯一的选择是使用较短的 OID 重新发布。
我们有一个 CA 颁发带有“证书策略”扩展名的证书,包括我们的组织public OID。
问题是:不幸的是,组织策略 ID (OID) 太长(OID 的某些部分)无法在某些编程语言中解析,例如走。因此,有许多重要的、众所周知的和熟悉的工具在任何情况下都无法加载或使用我们的证书,例如 SSL/TLS 证书。
我们的下级 CA 也有这个问题。我们正在寻找解决此问题的解决方案。
还有什么方法可以在证书中使用现有的策略吗?喜欢段 OID 或缩短 OID ?
恐怕你运气不好。
RFC 5280 Appendix B 声明以下关于任何对象标识符的内容:
Object Identifiers (OIDs) are used throughout this specification to identify certificate policies, public key and signature algorithms, certificate extensions, etc. There is no maximum size for OIDs. This specification mandates support for OIDs that have arc elements with values that are less than 2^28, that is, they MUST be between 0 and 268,435,455, inclusive. This allows each arc element to be represented within a single 32-bit word. Implementations MUST also support OIDs where the length of the dotted decimal (see Section 1.4 of [RFC4512]) string representation can be up to 100 bytes (inclusive). Implementations MUST be able to handle OIDs with up to 20 elements (inclusive). CAs SHOULD NOT issue certificates that contain OIDs that exceed these requirements. Likewise, CRL issuers SHOULD NOT issue CRLs that contain OIDs that exceed these requirements.
虽然这些 OID 没有最大大小,但实现不必支持无限大小的 OID。
如果你的OID比较长,那么你的CA需要注意上段倒数第二句。
RFC 的Section 6.1.3(d)(1)(i) 定义了策略处理,仅引用 匹配 OID。恐怕没有分段或缩短 OID 的概念。
您唯一的选择是使用较短的 OID 重新发布。