On 13.05.2010 01:02, ArkanoiD wrote: > It does not really answer the question, we should analyse certificates seen > "in the wild" ;-)
Here's some data. It's from a sample of about 90,000 non self-issued certs (from commercial CAs, most likely reflecting shares like those in http://news.netcraft.com/SSL-survey). The data are from the beginning of 2009, but I don't think the situation has considerably changed in between. The second colum shows the RDNs in the order they have in the ASN.1 subject SEQUENCE, while the first colum gives the number of occurences of such a cert (only the "top 15" are shown). 19464 C, O, OU, OU, OU, CN 15657 C, ST, L, O, OU, CN 6859 O, OU, CN 5603 C, ST, L, O, OU, OU, CN 4983 C, ST, L, O, OU, OU, OU, OU, CN 4813 C, ST, L, O, CN 4746 O, OU, OU, OU, CN 3915 C, postalCode, ST, L, streetAddress, O, OU, OU, OU, CN 3884 C, postalCode, ST, L, streetAddress, O, OU, OU, CN 2820 O, CN, OU 2726 C, ST, L, O, OU, CN, emailAddress 1565 C, OU, O, CN 1401 OU, OU, CN 1311 C, postalCode, ST, L, streetAddress, O, OU, CN 1212 C, ST, L, O, OU, OU, OU, CN [...] >> 12 maj 2010 kl. 15:37 skrev Peter Saint-Andre: >> >>>> So I'm not sure right now what to say about that. I suspect we can still >>>> stipulate that the only RDN having attr type of CN that we'll pay >>>> attention to is the one at the far end of the RDN sequence comprising >>>> the DN. >>> >>> We can stipulate that, but is it realistic? Note that "the one at the far end of the RDN sequence" should not imply that the CN should necessarily be the very last element of the subject. Looking at cases like 2820 O, CN, OU 2726 C, ST, L, O, OU, CN, emailAddress I would only stipulate that if multiple CNs occur in the subject (and they can be found in that sample, btw), only the last one is taken into account. Kaspar _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
