Question about stateOrProvince

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about stateOrProvince

Tim Boring
When creating a CSR, openssl displays the following

<quote>
State or Province Name (full name) [Some-State]:
</quote>

But, I can't find anywhere in the OpenSSL codebase that validates that the input is indeed a "full name"--e.g., that the input is "New York" instead of "NY".

I've done this search in Github:

After looking through the code, I stumbed across the "ub_locality_name" size limit:

And a couple lines up from that is a comment pointing to RFC 3280, which defines the following:
<quote>
id-at-stateOrProvinceName AttributeType ::= { id-at 8 }

X520StateOrProvinceName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-state-name)),
      printableString   PrintableString (SIZE (1..ub-state-name)),
      universalString   UniversalString (SIZE (1..ub-state-name)),
      utf8String        UTF8String      (SIZE (1..ub-state-name)),
      bmpString         BMPString       (SIZE(1..ub-state-name)) }
ub-state-name INTEGER ::= 128
</quote>
I'm curious about this because the openssl command will create a CSR where stateOrProvince has a two-character (U.S.) state name, and (at least one) CA (Comodo) will happily issue a cert using such a CSR. 

Is there any issue with a cert generated using such a CSR? Should the openssl command validate stateOrProvince? If not, then maybe it's just a matter of changing the prompt (I'm happy to submit a PR for such a minor change).

Thanks,
Tim


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about stateOrProvince

Salz, Rich
Perhaps one way to read it as state or full name if a province.

Or just remove the "full name" part of the text, I suppose.


--  
Senior Architect, Akamai Technologies
IM: [hidden email] Twitter: RichSalz


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Question about stateOrProvince

Wim Lewis-3
In reply to this post by Tim Boring
On Aug 30, 2016, at 6:28 PM, Tim Boring <[hidden email]> wrote:
> When creating a CSR, openssl displays the following
>
> <quote>
> State or Province Name (full name) [Some-State]:
> </quote>
...
> And a couple lines up from that is a comment pointing to RFC 3280, which defines the following:

The original definition is from X.520, I suppose, which doesn't explicitly say whether abbreviations are allowed, although the example it gives is for a full name (Ohio). [1]

> I'm curious about this because the openssl command will create a CSR where stateOrProvince has a two-character (U.S.) state name, and (at least one) CA (Comodo) will happily issue a cert using such a CSR.

I think for ordinary domain-validated certificates, almost nothing in the Subject is actually validated or used by the browser, and I'd guess not inspected by the CA either.

In situations where people actually care, the full name seems to be required for that attribute. The following language shows up in a few places via google:

From the CAB Forum guidelines for EV certs [3]:
> State, province, or locality information (where applicable) must use the full name of the applicable jurisdiction.


From a randomly found ITU-T draft of what became the EV certificate guidelines (TD 0411 [2], section 8.1.1 (4)):
> State or province or locality information (where applicable) for the Subject’s Jurisdiction of Incorporation or Registration MUST be specified using the full name of the applicable jurisdiction.


My understanding from all this is that the correct use of that attribute is to have the full name, not an abbreviation, but that in most cases, a certificate's subject can contain any old garbage you like and it'll still work for TLS.

For situations other than TLS, of course, it's even vaguer, but I read X.520 as implying that the full name is preferred, but abbreviations may be used as alternatives in directories and so on.

>  If not, then maybe it's just a matter of changing the prompt (I'm happy to submit a PR for such a minor change).


I'd argue that the prompt should stay the same. The user can type an abbreviation if they like, but if they're uncertain whether to type an abbreviation or a full name, then it's nice to include that guidance. (The country attribute, in contrast, is required to be an ISO3166 code according to X.520.)


[1] http://www.itu.int/rec/T-REC-X.520
[2] https://www.first.org/global/standardisation/docs/t09-sg17-090916-td-plen-0411__msw-e.doc
[3] https://cabforum.org/ev-certificate-contents/



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users