Appendix B       Object Identifiers


iPlanet Certificate Management System (CMS) comes with a set of extension-specific policy plug-in modules that enable you to add X.509 certificate extensions to the certificates the server issues. Some of the extensions contain fields for specifing object identifiers. This appendix explain what's an object indentifier (OID) and the significance of registering it.

The appendix has the following sections:

• What's an Object Identifier?

• Registration of Object Identifiers

What's an Object Identifier?

---

An object identifier is a string of numbers identifying a unique object, for example, a certificate extension or a company's certificate practice statement. For general information on OIDs, see the information at this URL:

http://www.alvestrand.no/objectid/

OIDs are controlled by the International Standards Organization (ISO) registration authority. In some cases, this authority is delegated by ISO to regional registration authorities. For example, in the United States, the American National Standards Institute (ANSI) manages this registration.

Registration of Object Identifiers

---

To promote interoperatability, the PKIX standard recommends that all objects (such as extensions and policy statements) that appear in certificates that will be used in networks shared by other organizations should be included in the form of OIDs. If you plan to issue certificates that will be used in such networks, you should register your object identifier prefixes with the appropriate registration authority. For example, assume you want to add a custom extension that points to a certificate practice statement (CPS) of your company. To implement this, you need to compose the policy statement you want to include in the extension, define an OID for the policy statement, and configure Certificate Management System with the OID so that it can add that to the certificate it issues.

The use of an OID registered to another organization or the failure to register an OID may carry legal consequences, depending on context. Registration may be subject to fees. For more information, you should contact the appropriate registration authority.

To define or assign OIDs for your objects, you must know your company's arc, which is an OID for a private enterprise. If your company doesn't have an arc, it needs to get one. This URL contains information on registering for a company arc:

http://www.isi.edu/cgi-bin/iana/enterprise.pl

To understand why you need to have a company arc, check the information at this site:

http://www.alvestrand.no/objectid/2.16.840.1.113730.1.13.html

The site contains information on Netscape-defined OID for an extension named Netscape Certificate Comment. Note that the OID assigned to this extension is hierarchical and it includes the Netscape company arc, which is 2.16.840.1.113730. Every OID Netscape owns has this prefix.

When determining whether to add custom extension to certificates, keep in mind that if the extension exists in a certificate and if it is marked critical, the application validating the certificate must be able to interpret the extension (including the optional qualifiers, if any), or else it must reject the certificate. Since it's unlikely that all applications will be able to interpret your company's extensions (embedded in the form of OIDs), the PKIX standard recommends that the extension be always marked noncritical. For general guidelines on setting extensions in certificates, see Appendix C "Certificate and CRL Extensions."