On Mon, Mar 18, 2002 at 10:53:05AM -0500, Harald Koch wrote: > objects.txt defines the following: > > X509 4 : S : surname > X509 5 : SN : serialNumber > > (X509 4 is 2.5.4.4). > > RFC2256 defines surname (2.5.4.4) as 'sn', and 2.5.4.5 as > "serialNumber", creating a conflict when going from a certificate > subject DN to an LDAP DN. > > I can't find a justification for the shortforms currently in objects.txt > anywhere in the PKIX documents. That's not to say there isn't a > justification, because I don't have a current X.500 series that defines > these attributes. :-) > > My recommendation would be to change the surname shortform to 'sn' to > match LDAP, and to remove or change the serialnumber shortform. > > Comments?
I did quite some research on the Web and did find that in all contexts with respect to LDAP your complaint is correct. I also found a small number of locations, e.g. http://support.entegrity.com/private/doclib/docs/osfhtm/admin/admingd/Adming66.htm at which the OpenSSL style is used. (Please not that I don't have a clue within which context entegrity.com is to be seen, the location was just found by Google :-). In some places I found even more strange results which seem to result from typos, as the term "CN" was used... For me it seems, that the recommended change makes sense. I am however not sure whether this will break existing applications. Steve Henson is most familiar with the X.509 part of OpenSSL and should give his statement. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]