I've been updating my ASN.1 dump/diagnostic program
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c) over the past few days and
have started cross-referencing the various OIDs it knows about. While doing
this I've become a bit disturbed at the number of redundant, multiply defined,
incorrectly used, and ambiguous OIDs which are floating around. For example
there are no less than a dozen OIDs for the various DSA and SHA combinations,
including ones used incorrectly (JDK 1.1 uses SHA-1 but denotes its use with
an SHA OID).
Below is a list of some of the problem OIDs or problem areas, if anyone has
any comments on these or can clear things up, please let me know. Before
anyone asks, I didn't record the exact sources for all of this information,
but in general it came from sundry standards, drafts, RFC's, online
information, and moles and spies in standards bodies and companies :-).
1. DSA and SHA combinations have multiple redundant definitions (X9.57, some
old OIW OIDs, and a DMS OID). Which one is the recommended one?
2. PKCS #1 OID (1 2 840 113549 1 1 6) is assigned to both
ripemd160WithRSAEncryption and rsaOAEPEncryptionSET.
3. PKCS #9 OID (1 2 840 113549 1 9) is assigned to both symmetricCapabilities
and SMIMECapabilities.
4. There are a whole series of strange OIDs at (1 3 14) which don't make much
sense and which are incompatible with or conflict with other OIDs (see the
dumpasn1.c code for more information on these). Any comments on these
would be appreciated.
5. (1 3 14 3 2 27) is assigned to both ripemd-160 and yet another dsaWithSHA1.
(This means there are no ripemd-160 OIDs which aren't also assigned to
something else. If noone knows what the situation is with these, I'll
issue some RIPEMD-160 OIDs myself just to clear up the confusion).
6. X.509v3 cert extensions - what a mess! There are often multiple
generations of superseded and redundant OIDs for extensions, again see the
dumpasn1 code comments.
7. Most of the SET cert extensions are defined as both (2 23 42 7 x) and
(2 54 1775 x+2).
There are a couple of European e-commerce and certification initiatives which
are planning to issue their own OIDs for everything as well (yippee!), if
anyone knows more about these please let me know. So far all I've seen are
general comments to the effect that the OIDs for operations of type X will be
allocated on branch Y, but no details on which OIDs are actually assigned (the
BSI is (not surprisingly) quite keen on RIPEMD so maybe we'll see a series of
proper OIDs issued for that).
Peter.