Nelson B Bolyard wrote: > > > You can have two AVAs of the same type in the on RDN, i.e. > > two common names in the same RDN. There the interpretation > > of most-significant is not clear. > > Agreed, in principle. In practice, I've never seen a certificate produced > by a real CA with multiple AVAs in a single RDN. I've seen them in certs > produced by test scripts, and by people playing with OpenSSL. :)
A few years ago I received a certificate of a productive PKI from a big account customer, and it had RDNames with two AVAs (CN= and SERIALNUMBER= in one RDName SET). The concept of "most significant" only applies to RDName, and not to members of the RDName set (because a SET is specified to be an unordered list, and ASN.1 DER encoding actually enforces a specific canonical ordering for ASN.1 SETs that unconditionally overrules whatever the creator of the distinguished name may have desired). So technically an RDName set with two different CN= are possible. In the sense of the directory hierarchy, both of them are "most significant". So that part of rfc-2818 doesn't make any sense. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
