On 6/9/10 1:11 AM, Kaspar Brand wrote: > On 08.06.2010 20:50, =JeffH wrote: >> I personally seem to recall observing certs in the wild whose >> string-formatted >> DNames included the "+" notation as Martin illustrates above, and which >> denotes >> an RDN SET, although I don't recall whether such certs were produced by >> "real >> CAs" as Nelson terms a certain subclass of CAs. >> >> >> Kaspar -- would information wrt multi-valued RDNames be embodied in the >> sample >> you used to generate the above info you shared with the list? If so, are >> there >> any occurances, and if so what's the frequency? > > There are 38 occurrences (out of ~90,000), originating from three "real > CAs". The vast majority (34) are EV SSL certs from a CA which apparently > likes to stuff the CN (2.5.4.3) and the serialNumber (2.5.4.5) > attributes into a single RDN. [Not so surprisingly, the remaining 4 > certs were issued by two CAs which apparently run their infrastructure > with software from that other "real CA" - which is the reason for seeing > the same peculiar encoding in their certs.]
Thanks for the numbers.
> In the context of this BCP, I consider the discussion about
> "multi-valued RDNs" an academic thing, mostly. I would not mind,
> however, to change the last sentence in section 2.2, item 6 to something
> like "Furthermore, the certificate's subject Distinguished Name SHOULD
> NOT contain more than one Common Name attribute, and MUST NOT contain
> RDNs which consist of multiple Common Name attributes" (provided that
> this wording pleases the ASN.1 terminology experts in the audience here).
Done in our working copy.
> The definition of "CN-ID" in section 1.3 should probably also be adapted
> (i.e., it should explicitly forbid multi-CN RDNs).
Is this a more accurate definition?
* CN-ID = a subject Distinguished Name (DN) whose constituent
sequence of Relative Distinguished Names (RDNs) contains one
and only one attribute value assertion (AVA) whose attribute
type is Common Name (CN)
Peter
--
Peter Saint-Andre
https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
