Standard way to indicate version and “schema” for X509 Certificate
-
27-10-2019 - |
문제
I have a system in which X509 certificates can have a number of "schemas" where a schema is is a collection of the exact OIDs that are required/optional in the subject of the cert. The application that verifies these certificates needs to know what schema (and what version of that schema) has been used for a given certificate.
For example, Schema A requires CN, O, OU and schema B requires CN, UID, O, C, ST.
I'm looking for a standard way to encode the schema (+ version) in the certificate so the receiving application can tell from the certificate how to parse it. Solutions:
- Hijack some totally unrelated OID to stuff this information into the subject. I don't like this, but it would work as a hack-y fallback.
- Utilize an extension. I think the Subject Directory Attributes looks like it might be appropriate, but then it still seems to require OID name/value pairs as its payload, so again which OIDs?
- Something else entirely?
Again, I can make this work with #1 or could do a similar hack with #2, but what I really want is a standard non-hack way to accomplish this goal.
해결책 2
I've ended up utilizing a UUID-based OID under the 2.25 arc for each of my my two metadata fields (schema and version).
The site below offers a UUID generator as a convenience and a registration link (although registration isn't strictly required):
다른 팁
I'd assume you would care about what schema is used. So that means that you probably have exactly those fields in the DN - and that they are also making up the breath of exactly what is signed by the CA (with the mandatory sundry). So assuming your schema's are different - that would let you distinguish them.
Another option would be a (sub)CA per scheme; or simply use the netscape comment field :).
In my experience however - when it is relevant for the organization to thus advertise, recognize/reconstruct and interpret the scheme - that generally means that it has some business purpose. So it generally has a useful business name. In that case; consider an (extra) O or OU (multi variant if needed) with that in there.