Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 29168-2: OID Resolution Procedures for Registration Authorities
Information technology — Object identifier resolution — Part 2: Resolution procedures
ISO/IEC 29168-2 specifies the operational procedures for OID resolution authorities and participants in the OID resolution infrastructure. While Part 1 defines the system architecture and protocol, this part addresses the human and procedural aspects: how registration authorities manage OID arcs, how participants register and maintain their OID information, and the governance mechanisms that ensure the resolution system remains trustworthy and up-to-date over time.
Establish clear service-level agreements (SLAs) for your OID resolution authority, including maximum response times for registration requests, update processing windows, and dispute resolution timelines. Published SLAs build trust with participants.
Registration Authority Responsibilities
The standard defines two tiers of registration authority: primary registration authorities that manage top-level OID arcs under the ISO/ITU-T root, and subordinate registration authorities that manage delegated sub-arcs. Each authority must maintain a registration database with accurate and current information for all OIDs under its purview. Responsibilities include processing registration requests within defined timeframes, validating the uniqueness and correctness of new OID assignments, maintaining historical records of OID ownership changes, and publishing authoritative resolution data to the resolution infrastructure.
| Authority Tier | Arc Scope | Key Responsibilities | Validation Requirements |
|---|---|---|---|
| Primary RA | Top-level arcs (ISO, ITU-T joint arcs) | Sub-arc delegation, global coordination | Identity verification, legal entity validation |
| Subordinate RA | Organization-specific arcs | Registration processing, data maintenance | Technical capability, namespace management |
| Participant | Individual OID assignments | Data accuracy, timely updates | Self-certification with periodic audit |
When subordinate registration authorities implement automated validation workflows, OID registration processing time drops from an average of 5 business days to under 2 hours, dramatically improving the user experience for participants.
Registration and Maintenance Procedures
ISO/IEC 29168-2 defines a step-by-step registration procedure that begins with a participant submitting a registration request containing the proposed OID value, descriptive metadata, contact information, and intended use context. The registration authority validates the request against namespace rules, checks for conflicts with existing registrations, and either approves or rejects the request with documented reasons. Approved registrations are published to the resolution infrastructure with an initial TTL value, after which the participant must periodically confirm the continued accuracy of the registration data.
Maintenance procedures include periodic reconfirmation requirements (typically annual), procedures for transferring OID ownership between organizations, processes for retiring or deprecating OIDs that are no longer in use, and dispute resolution mechanisms for conflicting registration claims. The standard also addresses emergency procedures for critical updates, such as when a security certificate OID needs immediate revocation due to a key compromise.
The most common failure in OID resolution infrastructures is registration decay — OIDs whose metadata becomes stale because participants fail to update contact information or retire unused identifiers. Implement automated reminders and grace period procedures as required by 29168-2.
Governance and Dispute Resolution
A significant contribution of ISO/IEC 29168-2 is its governance framework for the OID resolution ecosystem. The standard establishes principles for fair and transparent OID allocation, including first-come-first-served policies for non-conflicting registrations, documented priority rules for contested OID arcs, and appeals procedures for participants who disagree with registration authority decisions. The governance framework also addresses data protection and privacy considerations, particularly for OID registrations that may reveal sensitive information about organizational structures or internal systems.
The standard recommends that each registration authority establish an oversight board or advisory group with representation from participant organizations. This board reviews disputed registration decisions, approves changes to registration policies, and monitors the overall health of the OID resolution infrastructure through regular reporting and metrics.
Without a formal dispute resolution mechanism, OID registration conflicts can escalate into operational emergencies, particularly when two organizations claim the same OID arc for critical infrastructure functions. Establish your dispute resolution procedures before conflicts arise, not after.
Frequently Asked Questions
Q: What qualifications are needed to become a subordinate registration authority?
A: Organizations must demonstrate technical capability to operate resolution infrastructure, commitment to the governance principles of the standard, and the ability to serve the participant community for the OID arcs they manage. Typically, industry consortia or standards development organizations serve as subordinate RAs.
A: Organizations must demonstrate technical capability to operate resolution infrastructure, commitment to the governance principles of the standard, and the ability to serve the participant community for the OID arcs they manage. Typically, industry consortia or standards development organizations serve as subordinate RAs.
Q: How are OID ownership disputes resolved under 29168-2?
A: The standard specifies a graduated process: informal negotiation, mediation by the parent registration authority, formal arbitration, and as a last resort, de-registration of the disputed OID with notification to all dependent parties.
A: The standard specifies a graduated process: informal negotiation, mediation by the parent registration authority, formal arbitration, and as a last resort, de-registration of the disputed OID with notification to all dependent parties.
Q: What happens if a registration authority ceases operations?
A> The standard requires continuity planning. The parent authority must have a succession plan to transfer RA responsibilities to another qualified organization, with a minimum 6-month transition period to ensure resolution service continuity.
A> The standard requires continuity planning. The parent authority must have a succession plan to transfer RA responsibilities to another qualified organization, with a minimum 6-month transition period to ensure resolution service continuity.
Q: Can registration procedures be fully automated?
A> Yes, for routine registrations within well-defined namespaces. However, the standard requires human oversight for complex cases such as cross-jurisdictional registrations, contested arcs, or registrations involving regulated data.
A> Yes, for routine registrations within well-defined namespaces. However, the standard requires human oversight for complex cases such as cross-jurisdictional registrations, contested arcs, or registrations involving regulated data.
