Details
-
Type:
New Feature
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: EJBCA 6.11.0
-
Component/s: None
-
Labels:None
-
Stakeholder:Sales
-
Sprint:EJBCA Sprint 4
Description
FIPS 201-2 "Personal Identity Verification (PIV) of Federal Employees and Contractors" contains a Federal Agency Smart Credential Number (FASC-N) OtherName that we should support.
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf
https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/fpki-cert-profile-ssp.pdf
pivFASC-N: 2.16.840.1.101.3.6.6
—
The pivFASC-N OID may appear as a name type in
the otherName field of the subjectAltName extension
of X.509 certificates or a signed attribute in CMS
external signatures. Where used as a name type,
the syntax is OCTET STRING. Where used as an
attribute, the attribute value is of type OCTET
STRING. In each case, the value specifies the
FASC-N of the PIV Card.
—
FIPS 201-2 C.1:
Federal Agency Smart Credential Number (FASC-N): As required by FIPS 201, one of the primary
identifiers on the PIV Card for physical access control. The FASC-N is a fixed length (25 byte) data
object, specified in [SP 800-73], and included in several data objects on a PIV Card.
OpenSSL way seems to be direct use of the OID, e.g.
otherName = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA