=JeffH wrote:
> Is this text more accurate?
>
> The subject field of a PKIX certificate is defined as a X.501 type
> Name and known as a Distinguished Name (DN) -- see [X.501] and
> [PKIX]. A DN is an ordered sequence of Relative Distinguished Name
> (RDNs), where an RDN is a set (i.e., an unordered group) of type-and-
> value pairs [LDAP-DN], each of which asserts some attribute about the
> subject of the certificate.
yes, IMV.
> BTW I don't see any evidence for the following claim in RFC 4514:
>
> The RDNs are ordered in the DN sequence from
> most general to most specific.
It is in X.501 (V3 (4th edition) section 9.7)..
The distinguished name of a given object is defined as that name which
consists of the sequence of the RDNs of the entry which represents the
object and those of all of its superior entries (in descending order).
However, various (many? most?) CAs don't have an actual X.500 / LDAP
directory with actual entries for the subjects of the certs they issue,
and so concoct their subjectName DNs outta thin air (more or less) and
so the notion that the RDNs in such DNs are ordered from most general to
most specific doesn't necessarily hold (from what I understand).
So I'm not sure right now what to say about that. I suspect we can still
stipulate that the only RDN having attr type of CN that we'll pay
attention to is the one at the far end of the RDN sequence comprising
the DN.
I think a lot of DNs got concocted because X.500 implementers assumed
the examples in X.501 were normative. That is c=, o=, (4) ou=, cn=.
But, you're might be right about no descending ordering can be
assumed. If you look at the subjectName in the datatracker
certificate it's:
CN = *.ietf.org
OU = Terms of use at www.verisign.com/rpa (c)05
OU = Internet Engineering Task Force
O = IETF Trust
L = Reston
ST = Virginia
C = US
Is an organization more or less specific than a location?
spt
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
