On 06/30/2010 02:17 AM, Paul Hoffman wrote:
At 4:07 PM -0600 6/29/10, Peter Saint-Andre wrote:
Is the first RDN most specific, or is the last RDN most specific? I
realize that the first one now will later be last [1] depending on the
string representation, but my understanding is that in the DER encoding
it's the first RDN that is most specific. Corrections are welcome.
This paragraph shows why it is crazy to assume that developers understand this.
To me it only shows missing understanding of one person.
'this' refers to what? The the in this draft or rfc 5280?
First: if the RDN is a sequence, then whether it is encoded in DER or BER is
irrelevant. The difference in the two encodings is only relevant for SETs.
According to RFC 5280:
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::=
SET SIZE (1..MAX) OF AttributeTypeAndValue
However, RFC 5280 does not say which of the sequence is "most specific".
IMO it is not exactly best place but at the end of paragraph 7.1 there is:
"A distinguished name DN1 is within the subtree defined by the
distinguished name DN2 if DN1 contains at least as many RDNs as DN2,
and DN1 and DN2 are a match when trailing RDNs in DN1 are ignored."
Given a natural interpretation of tree and subtree, one can deduce
that the "highest" RDN is the first, or the most specific is the last.
But since this is so nicely hidden, a reminder seems useful.
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
