On 08.06.2010 20:50, =JeffH wrote: > I personally seem to recall observing certs in the wild whose > string-formatted > DNames included the "+" notation as Martin illustrates above, and which > denotes > an RDN SET, although I don't recall whether such certs were produced by "real > CAs" as Nelson terms a certain subclass of CAs. > > > Kaspar -- would information wrt multi-valued RDNames be embodied in the > sample > you used to generate the above info you shared with the list? If so, are > there > any occurances, and if so what's the frequency?
There are 38 occurrences (out of ~90,000), originating from three "real CAs". The vast majority (34) are EV SSL certs from a CA which apparently likes to stuff the CN (2.5.4.3) and the serialNumber (2.5.4.5) attributes into a single RDN. [Not so surprisingly, the remaining 4 certs were issued by two CAs which apparently run their infrastructure with software from that other "real CA" - which is the reason for seeing the same peculiar encoding in their certs.] In the context of this BCP, I consider the discussion about "multi-valued RDNs" an academic thing, mostly. I would not mind, however, to change the last sentence in section 2.2, item 6 to something like "Furthermore, the certificate's subject Distinguished Name SHOULD NOT contain more than one Common Name attribute, and MUST NOT contain RDNs which consist of multiple Common Name attributes" (provided that this wording pleases the ASN.1 terminology experts in the audience here). The definition of "CN-ID" in section 1.3 should probably also be adapted (i.e., it should explicitly forbid multi-CN RDNs). Kaspar _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
