How to properly include custom information into X509 certificates

Question

I'm working on implementing a web service that uses X509 certificates for authentication and authorization of the caller.

Is it proper to specify the entity type (i.e. "end user" or "device") as part of the subject name, with, say, OU RDN?

Is it proper to specify the identity of the entity as part of the subject name, with CN RDN?

Is the best place for the authorization tokens to be part of the X509.v3 extensions (I understand authorization info, like "have access to cookie jar", doesn't belong in subject name section)?

If I am to include custom extension values into the certificates, is the proper way to do so is to apply for an OID (through PEN), and create child OID(s) that designate authorization information, and use these OID(s) as OIDs for the extensions? If that's wrong for some reason, any pointers to how this should be done in a standard way, would be appreciated.

Answer 1

It is proper to specify the entity's identity in the Common Name (CN) field of the Subject Distinguished Name (DN). For a user or device, it would be appropriate to also specify the Organization (O) and/or Organizational Unit (OU) to which they belong in the Subject DN. There is also the User ID (UID) component.

There is a standard profile of X.509 for authorization assertions specified in RFC 5755. An attribute certificate bears one or more attributes about an identity such at group membership, role, clearance level, etc, as well as referencing the public key certificate (that is, the usual kind of X.509 certificate) of the identity to which the authorization information applies.

This standardized approach avoids any need to devise custom X.509 extensions, and hence, apply for an official OID (which is just as well, because I don't know the "offical" procedure for this.)