UID in subj args - bug?

[Viktor Dukhovni]

On Thu, Jul 06, 2023 at 07:45:09PM -0400, Robert Moskowitz wrote:

> > Welcome to the world of X.509 where anything goes, and nobody knows
> > what's going on...
> 
> Well perhaps at IETF117 I can corner someones that can point me to the clue.

There isn't much clue to be had.  There's no definitive list of possible
RDN OIDs.  Each new application or even organisation with an OID arc
can define some new attribute (perhaps in their LDAP schema) and
choose to employ it in their directory names.

When I said "anything goes", I meant what I said.

> For now it seems that you put something into the policy section.  If it 
> does not throw an error, you are good.
> 
> or good enough.

You can literally put any OID in the policy section.  Then RDNs with
that OID will be treated per the policy (match, supplied or optional).

    oid_section = new_oids
    ...
    [ new_oids ]
    prime_rib = 2.3.5.7.11.13.19.23.29.31
    ...
    [ policy_match ]
    prime_rib = supplied
    ...

To be used in a PKI for the meat packing industry...

-- 
    Viktor.