Support for >32 bit sub-identifier in x509 certificate OIDs

(Adam Young) #1

Referring to the fix for the below issue:

This would be more appropriate as a discussion within that issue but it has been locked due to age so I am posting here.

There is currently a restriction in Go on oid sub-identifiers in an x509 certificate OID that they must be < 31 bits. Is there any intent to ever change that restriction?

We have a customer who wants to use certificates provided by their IT department. Their internal CertificatePolicyID which is set in their certs has a sub-identifier in the OID which would need a 64 bit int to represent. This certificate is accepted by other components in our product (mostly java based) but gets rejected by a small service we have running in Go.