On 29/06/2010 23:07, Peter Saint-Andre wrote:
On 6/11/10 6:10 PM, Paul Hoffman wrote:
However, if this legacy identifer configuration is employed, then
the server's fully-qualified DNS domain name MUST be placed in the
last (most specific) RDN within the RDN sequence making up the
certificate's subjectName, as the order of RDNs is determined by
the DER- encoded Name within the server's PKIX certificate.
I always get this wrong, so I assume people less familiar with PKIX
do as well. Before you say "(most specific)" as if it was a toss-off,
you should define "most specific RDN" as "the last RDN within a
sequence", probably in section 1.3.
Two questions:
1. Some people use "most significant" and "most specific"
interchangeably. Which is correct?
2. More substantially, we currently have this text:
The subject field of a PKIX certificate is defined as an X.501 type
Name and known as a Distinguished Name (DN) -- see [X.501] and
[PKIX]. A DN is an ordered sequence of Relative Distinguished Names
(RDNs), where each RDN is a set (i.e., an unordered group) of type-
and-value pairs or "attribute value assertions" (AVAs) [LDAP-DN],
each of which asserts some attribute about the subject of the
certificate. In the DER encoding of a DN, the RDNs are always in
order from most significant to least significant (i.e., the first RDN
is most significant and the last RDN is least significant); however,
in the string representation of a DN as used in various protocols and
data formats, the RDNs might be ordered from most significant to
least significant (e.g., this is true of LDAP) or from least
significant to most significant.
Is the first RDN most specific, or is the last RDN most specific? I
realize that the first one now will later be last [1] depending on the
string representation, but my understanding is that in the DER encoding
it's the first RDN that is most specific. Corrections are welcome.
I've always understood (perhaps by mistake) that the most specific was
the last in the sequence. This also seems to reflect going "deeper" in
the LDAP tree.
For example, (from www.google.com:443), the Subject DN is:
156 104: SEQUENCE {
158 11: SET {
160 9: SEQUENCE {
162 3: OBJECT IDENTIFIER countryName (2 5 4 6)
167 2: PrintableString 'US'
: }
: }
171 19: SET {
173 17: SEQUENCE {
175 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
180 10: PrintableString 'California'
: }
: }
192 22: SET {
194 20: SEQUENCE {
196 3: OBJECT IDENTIFIER localityName (2 5 4 7)
201 13: TeletexString 'Mountain View'
: }
: }
216 19: SET {
218 17: SEQUENCE {
220 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
225 10: TeletexString 'Google Inc'
: }
: }
237 23: SET {
239 21: SEQUENCE {
241 3: OBJECT IDENTIFIER commonName (2 5 4 3)
246 14: TeletexString 'www.google.com'
: }
: }
: }
I think most I've seen follow this naming structure: country first and
CN last. Intuitively, this seems to suggest that the first in the
sequence is the least specific and that the last in the sequence is the
most specific, if we use this terminology. (Is this correct?)
Best wishes,
Bruno.
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
