Peter Saint-Andre wrote: > > In version -05 we had the following text: > > Domain Components (DCs) are unordered. Therefore the following two > sets of DCs would be equivalent: > > dc=com, dc=example, dc=cn > > dc=cn, dc=example, dc=com > > Because com.example.cn is presumably different from cn.example.com, > representing or verifying an application server's DNS domain name > based on domain components would open a serious security hole. As a > result, certificate issuers and application clients MUST NOT use DCs.
Slightly OT: adding DC= AVAs to a DName would be fairly unreasonable if they did _not_ have a defined order. I assume that the order is as much defined as it is for the regular "hierarchical directory tree". Although my PKIX & LDAP exposure is at the homeopathic level, I assume the idea of the DC= components could be to establish something like a hierarchical LDAP directory model based on DNS rather than assuming a single global X.500 directory hierarchy and full-fledged DAP. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
