2.2 says
5. The certificate SHOULD NOT represent the server's fully-qualified
DNS domain name in a Relative Distinguished Name (RDN) of type
Common Name (CN) (see [LDAP-SCHEMA]), even though we recognize
that many deployed clients still check for this legacy identifier
configuration within certificate subjectName. However, if this
legacy identifer configuration is employed, then the server's
fully-qualified DNS domain name MUST be placed in the last (most
specific) RDN within the RDN sequence making up the certificate's
subjectName, as the order of RDNs is determined by the DER-
encoded Name within the server's PKIX certificate. Furthermore,
the certificate's subject Distinguished Name SHOULD NOT contain
more than one Common Name attribute, and MUST NOT contain RDNs
which consist of multiple Common Name attributes.
The second half is aprt of a redefintion of CN-ID
* CN-ID = a Relative Distinguished Name (RDN) in the certificate
subject that contains one and only one attribute value
assertion (AVA) whose attribute type is Common Name (CN)
I think one should say exactly the opposite:
5. The certificate SHOULD represent the server's fully-qualified
DNS domain name in exactly one CN-ID as the last RDN in the
subject DN.
The subject DN SHOULD NOT have more than one CN ava.
And in the following
6. The certificate SHOULD NOT represent the server's fully-qualified
DNS domain name by means of a DC-ID, i.e., a series of Domain
Component (DC) attributes in the certificate subject, with one
RDN per domain label and one DC in each RDN. Although (for
example)<dc=www,dc=example,dc=com> could be used to represent
the DNS domain name "www.example.com", given the fact that the
DNS-ID can be used instead, the DC-ID is NOT RECOMMENDED.
There is no reason to reference DNS-ID here.
6. If present in a DN, a sequence of DCs SHOULD be a DC-ID.
Peter
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
