On 6/11/10 6:10 PM, Paul Hoffman wrote: >> However, if this legacy identifer configuration is employed, then >> the server's fully-qualified DNS domain name MUST be placed in the >> last (most specific) RDN within the RDN sequence making up the >> certificate's subjectName, as the order of RDNs is determined by >> the DER- encoded Name within the server's PKIX certificate. > > I always get this wrong, so I assume people less familiar with PKIX > do as well. Before you say "(most specific)" as if it was a toss-off, > you should define "most specific RDN" as "the last RDN within a > sequence", probably in section 1.3.
Two questions: 1. Some people use "most significant" and "most specific" interchangeably. Which is correct? 2. More substantially, we currently have this text: The subject field of a PKIX certificate is defined as an X.501 type Name and known as a Distinguished Name (DN) -- see [X.501] and [PKIX]. A DN is an ordered sequence of Relative Distinguished Names (RDNs), where each RDN is a set (i.e., an unordered group) of type- and-value pairs or "attribute value assertions" (AVAs) [LDAP-DN], each of which asserts some attribute about the subject of the certificate. In the DER encoding of a DN, the RDNs are always in order from most significant to least significant (i.e., the first RDN is most significant and the last RDN is least significant); however, in the string representation of a DN as used in various protocols and data formats, the RDNs might be ordered from most significant to least significant (e.g., this is true of LDAP) or from least significant to most significant. Is the first RDN most specific, or is the last RDN most specific? I realize that the first one now will later be last [1] depending on the string representation, but my understanding is that in the DER encoding it's the first RDN that is most specific. Corrections are welcome. /psa [1] http://www.bobdylan.com/#/songs/the-times-they-are-a-changin
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
