ietf-smime
[Top] [All Lists]

Object Identifiers: Confusion now hath made his masterpiece

1997-10-29 23:18:25
I've been updating my ASN.1 dump/diagnostic program 
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c) over the past few days and 
have started cross-referencing the various OIDs it knows about.  While doing 
this I've become a bit disturbed at the number of redundant, multiply defined, 
incorrectly used, and ambiguous OIDs which are floating around.  For example 
there are no less than a dozen OIDs for the various DSA and SHA combinations, 
including ones used incorrectly (JDK 1.1 uses SHA-1 but denotes its use with 
an SHA OID).
 
Below is a list of some of the problem OIDs or problem areas, if anyone has 
any comments on these or can clear things up, please let me know.  Before 
anyone asks, I didn't record the exact sources for all of this information, 
but in general it came from sundry standards, drafts, RFC's, online 
information, and moles and spies in standards bodies and companies :-).
 
1. DSA and SHA combinations have multiple redundant definitions (X9.57, some 
   old OIW OIDs, and a DMS OID).  Which one is the recommended one?
 
2. PKCS #1 OID (1 2 840 113549 1 1 6) is assigned to both 
   ripemd160WithRSAEncryption and rsaOAEPEncryptionSET.
                                                      
3. PKCS #9 OID (1 2 840 113549 1 9) is assigned to both symmetricCapabilities 
   and SMIMECapabilities.
   
4. There are a whole series of strange OIDs at (1 3 14) which don't make much 
   sense and which are incompatible with or conflict with other OIDs (see the 
   dumpasn1.c code for more information on these).  Any comments on these 
   would be appreciated.
   
5. (1 3 14 3 2 27) is assigned to both ripemd-160 and yet another dsaWithSHA1.
   (This means there are no ripemd-160 OIDs which aren't also assigned to 
   something else.  If noone knows what the situation is with these, I'll 
   issue some RIPEMD-160 OIDs myself just to clear up the confusion).
 
6. X.509v3 cert extensions - what a mess!  There are often multiple 
   generations of superseded and redundant OIDs for extensions, again see the 
   dumpasn1 code comments.
 
7. Most of the SET cert extensions are defined as both (2 23 42 7 x) and 
   (2 54 1775 x+2).
 
There are a couple of European e-commerce and certification initiatives which 
are planning to issue their own OIDs for everything as well (yippee!), if 
anyone knows more about these please let me know.  So far all I've seen are 
general comments to the effect that the OIDs for operations of type X will be 
allocated on branch Y, but no details on which OIDs are actually assigned (the 
BSI is (not surprisingly) quite keen on RIPEMD so maybe we'll see a series of 
proper OIDs issued for that).
             
Peter.


<Prev in Thread] Current Thread [Next in Thread>