[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: [openssl-users] Question about stateOrProvince
From:       Wim Lewis <wiml () omnigroup ! com>
Date:       2016-08-31 2:52:53
Message-ID: 7E59EF02-4CE0-47FD-B15D-68ED84A88CC9 () omnigroup ! com
[Download RAW message or body]

On Aug 30, 2016, at 6:28 PM, Tim Boring <tjboring@gmail.com> wrote:
> When creating a CSR, openssl displays the following
> 
> <quote>
> State or Province Name (full name) [Some-State]:
> </quote>
...
> And a couple lines up from that is a comment pointing to RFC 3280, which defines \
> the following:

The original definition is from X.520, I suppose, which doesn't explicitly say \
whether abbreviations are allowed, although the example it gives is for a full name \
(Ohio). [1]

> I'm curious about this because the openssl command will create a CSR where \
> stateOrProvince has a two-character (U.S.) state name, and (at least one) CA \
> (Comodo) will happily issue a cert using such a CSR. 

I think for ordinary domain-validated certificates, almost nothing in the Subject is \
actually validated or used by the browser, and I'd guess not inspected by the CA \
either.

In situations where people actually care, the full name seems to be required for that \
attribute. The following language shows up in a few places via google:

From the CAB Forum guidelines for EV certs [3]:
> State, province, or locality information (where applicable) must use the full name \
> of the applicable jurisdiction.


From a randomly found ITU-T draft of what became the EV certificate guidelines (TD \
0411 [2], section 8.1.1 (4)):
> State or province or locality information (where applicable) for the Subject's \
> Jurisdiction of Incorporation or Registration MUST be specified using the full name \
> of the applicable jurisdiction.


My understanding from all this is that the correct use of that attribute is to have \
the full name, not an abbreviation, but that in most cases, a certificate's subject \
can contain any old garbage you like and it'll still work for TLS.

For situations other than TLS, of course, it's even vaguer, but I read X.520 as \
implying that the full name is preferred, but abbreviations may be used as \
alternatives in directories and so on.

> If not, then maybe it's just a matter of changing the prompt (I'm happy to submit a \
> PR for such a minor change).


I'd argue that the prompt should stay the same. The user can type an abbreviation if \
they like, but if they're uncertain whether to type an abbreviation or a full name, \
then it's nice to include that guidance. (The country attribute, in contrast, is \
required to be an ISO3166 code according to X.520.)


[1] http://www.itu.int/rec/T-REC-X.520
[2] https://www.first.org/global/standardisation/docs/t09-sg17-090916-td-plen-0411__msw-e.doc
 [3] https://cabforum.org/ev-certificate-contents/



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


[prev in list] [next in list] [prev in thread] [next in thread]