Background
There I was: on Christmas break, hacking away at a side project.
As engineers do.
I was adding a new feature to my macOS app.
Apple’s documentation would tell me the app needs Accessibility (AX) permissions to work. More or less, full control of the end user’s machine.
Asking is easy.
And yet approve as I may, each system call gated by AX permissions would fail.
A Rabbit Hole Appears
A full day of aimless troubleshooting would pass.
Before solving the problem, I’d become much more acquainted with late 1980s computing decisions.
I’d learn about a committee that formed. It would create X.500: a standard, a driving force, that took computer networking to a global scale.
And, I’d learn what an OID is.
This is that story.
An Overview of Code Signing
To understand what an OID is, you must first know code signing.
Code signing is a security mechanism. It allows a software author to say “This application you downloaded is definitely what I made, and hasn’t been tampered with.”
Let’s use an analogy. I’m going to send my app to a user via postal service.
- Long before I created the app, I first registered with the post office. They verified who I am, and gave me a unique wax stamp for sending mail.
No one else has this unique wax stamp. - I created a cool app.
- One day, someone wants to use it. Sure! I put it in an envelope.
- Importantly, I seal the envelope with wax. I use the unique stamp given by the post office.
- The user receives the envelope with the seal intact.
“Just so you know,” the postman says, handing over the envelope, “I already validated this wax stamp is legitimate.”
No bones about it, that’s what I intended to send.
The recipient brims with trust.
Chain of Trust
The post office analogy describes a chain of trust.
The recipient trusts the postman, who trusts the post office employing him, who as an organization trust their internal validation systems.
With chain of trust, we have an organized system of validating a who.
But before understanding what an OID is, you must know about the how.
X.500: The Ultimate Digital Phonebook
Computer networks got big in the 1980s. Real big.
What began as a contained research project grew into a gargantuan idea. What would it take to scale a computer network so much, that it could span the entire globe?
In 1988 this ambitious idea of world-scale was attempted by way of committee. Its members would go on to approve X.500: a series of computer networking protocol standards.
The important protocols define a standard approach to data: its delivery, receipt, security in transit, and identification of who sent it.
You’re familiar with one already. Remember chain of trust? It’s mentioned in X.509!
These protocols would define how computers communicate.
The postal delivery route and its regional offices, more or less.
A Need for More
Effective communication requires a common understanding.
Parties must agree that a certain idea, thing, object, can be commonly referenced.
I say “green apple.” And, if you read English well enough, you just conjured a thought of an apple similar to mine. Communication successful.
But what if you don’t read English?
If computer networks were to scale globally, a metaphorical phonebook alone wasn’t enough. The committee must break the barrier of nomenclature itself.
What was needed was a universal definition framework.
A Babel fish.
How to Create a Universal Dictionary
You’re a committee member in 1989. You must create a universal dictionary.
A daunting task!
A resilient system would be impervious to miscommunication. Not just tomorrow, but after decades of inevitable change in the world, it remains relevant.
No small feat.
What Makes a Good Universal Dictionary
A resilient dictionary withstands the change of time, and its highly unpredictable nature.
What rules might it implement?
| Need | Description |
|---|---|
| Global Uniqueness | Common understanding is lost when multiple definitions exist A dictionary must guarantee global uniqueness. There should only ever be a single definition for a single object. |
| Decentralized | Centralized naming systems don’t scale. A single authority responsible for all definitions would be slow to update. Cumbersome, and prone to bottlenecks. The solution must delegate responsibility to intermediaries. |
| Extensible | The system should be an ironclad source of truth. It should extend definitions, never change an existing definition. |
| Simple | The system should favor universal simplicity over complexity. Ideally, a key to lookup a definition should avoid barriers of language. |
Seems like a good start.
Enough delay. We can now discuss OIDs.
What’s an Object Identifier?
An object identifier is a simple key-value system. You give the system a key, it describes a value.
Coming full circle now.. below is the OID needed for my macOS app to work.
| OID | Definition |
|---|---|
1.2.840.113635.100.6.1.14 | Apple Custom Extension “devid_install“ |
From the OID itself we can guess some of its behavior.
It’s a period-delimited string of numbers in varying size. In computer science parlance, it looks suspiciously like a data tree.
And indeed it is. Let’s break that tree down.
| ID | Category | Value | Description |
|---|---|---|---|
1 | Governing Committee | ISO | The top-level arc is the governing committee. There are only three! 1 is managed by the International Organization for Standardization (ISO). |
2 | Committee-defined subhierarchy | Member Bodies | The governing committee defines its own sub-hierarchy. For ISO, 2 is a category defined as Member Bodies. Member Bodies represent countries around the globe. |
840 | Member Body | us (United States) | The specific member body 840 is assigned to the United States. |
113635 | Organization | apple (Apple, Inc.) | Apple registered with the United States and became known as organization 113635. |
100 | Organization Category | Data security | Apple decided to create their own category for data security. |
6 | Organization Subcategory | Apple-specific certificate extensions | Apple decided to register the concept of certificate extensions as a subcategory. |
1 | Organization Subcategory | Apple-specific code signing certifications extensions | Apple decided to register the concept of code signing certificate extensions. |
14 | Final OID Identifier | devid_install | Apple registered a unique concept: a certificate for signing macOS applications, which are distributed outside the Mac App Store. |
Flipping back to what makes a good universal dictionary, does it hit the mark?
- Simple
Object IDs are the universal language: math.
No character symbols, just numbers. - Extensible, Unique
Trees are inherently, uniquely, extensible.
No need to modify a node definition, just add a new child instead! - Decentralized
Well.. we can’t judge this without knowing more.
Who the hell runs this dictionary, anyway?
Registering an OID
The first few ID tree values define governing committees and their self-defined suborganizations.
As we now know, ISO is one of three committees which manage OID registrations. But they don’t manage all definitions. They simply can’t manage every country, their organizations, and each subhierarchy.
Instead a chain of trust comes into play. Our beloved ISO can vouch that 2 is the United States. They don’t care about anything beyond that.
But then how do you register as an organization for node 2? You don’t go to ISO, you ask the US organization, ANSI, nicely.
Yes, indeed, for $1,000 you too can be an ANSI organization like Apple.
Apple, being an approved ANSI organization, register their own object identifiers. Like the very one my app needed to function.
Referencing OIDs
What’s a dictionary without the paper it’s printed on?
Remember: a cascading system of trust is at work. The first OID value for ISO only cares about broad definitions, like a country. You don’t talk to ISO to define Apple’s dictionary.
And in turn, that country only cares to define immediate descendants it controls, like ANSI organizations.
Uhh, wait – that’s a big problem, isn’t it? Who is piecing together every definition into a common dictionary?
The problem with decentralization is that no one is responsible for the system at large.
Fret not. Someplace, somewhere, a very-expensive data dump is hidden behind ISO or ANSI membership dues.
And for everyone else, there are unofficial sources. Here are a couple:
- orange-labs.fr
The most organized database I could find, with a functional GUI - alvestrand.no
What appears to be a very thorough database, even if lacking in GUI.
The Weird Side of Town
Standards which introduced OIDs have clear rules for registration.
Generally it’s all very serious business. You can’t get weird — this isn’t a joke.
And yet, very rare cases of weird, did I find.
| OID | How Weird |
|---|---|
| 1.3.6.1.4.1.6281 | Jingle Cats Music A very real Christmas album. |
| 1.3.6.1.4.1.44776.1.1.1 | For the poetic description: |
| 1.3.6.1.4.1.61117.9000.2.2.134340 | Identifies the song 34340 by the hit band BTS. |
OIDs Today
So did the committee succeed? Well, mostly.
OIDs are still in use and actively registered.
Many definitions deal with security in general. Networks, protocols, security certificates.
But, as engineers often do, new standards and use cases followed. Sometimes you use OIDs, and sometimes you don’t.
Sometimes you learn about LDAP. Or waste an afternoon by clicking links in the Object identifier Wikipedia article.
Wrapping Up
I’ve been in the world of software since first discovering #php on 1990s freenode.
It’s wild to me: an entire universe of committees, protocols, ideas, decisions, created before I was even born.
How many people really know what an OID or X.500 is?
Fellow software engineers in my industry don’t necessarily need to know about these concepts.
There’s a chain of trust there too, isn’t there? I trust those before me made a solid set of protocols. And that system doesn’t require I learn about it in depth.
Kind of nice.
As Xcode troubleshooting goes, I will say this was a pleasant rabbit hole indeed.
P.S. — Dying to know the app fix? It unfortunately deserves its own article.
But, you can see the solution in a CLI fixer-script I published.
And in particular this overly-verbose comment.
Enjoy.