> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte - VMS > Whacker
> In message <[EMAIL PROTECTED]> on Mon, 15 Apr > 2002 20:57:00 +0200, Michael Bell <[EMAIL PROTECTED]> said: > > michael.bell> we found today a big problem with the DNs which OpenSSL > michael.bell> displays because our application (OpenCA) produce DNs > michael.bell> which are conform to the directorystandards but OpenSSL > michael.bell> interprets them in the opposite order. > michael.bell> What does this mean? > > If I remember correctly, X.500 subjects are usually ordered as the > inverse of the directory standards you refer to. This means that > rather than O=HU, C=DE, the order would be C=DE, O=HU. > > However, with the OpenSSL application ('openssl'), which I assume is > what you've been using, the order of the RDNs entirely depends on the > order of the keys in the policy section from the configuration file. > In the example openssl.cnf, the order is contryName first, followed by > stateOrProvinceName, and so on. I'm sure that if you create a > different policy section where things are reordered the waty you want > them, you'll get the desired result. > > All this, of course, said out of memory. I haven't tested anything. All of the above is true, but I believe it would be a bad idea to go changing the order of everything. Certificates are specified in X.509 and are properly a part of the X.500 family, and the X.500 DN syntax is clearly specified. Any software that claims to support X.509 certificates must operate using X.500 syntax. The LDAP DN specification is backwards, and a cert with "backwards" DNs could only be considered to be broken, and certainly will not be interoperable with the vast majority of already deployed PKI. Of course, nothing says you can't add a function to the OpenSSL library to extract certificate DNs in LDAP format instead of X.500 format, it's just a matter of traversing the Name in the opposite order when parsing/printing it out. I believe this feature already was added in OpenSSL 0.9.6, so this whole discussion has been about a non-problem... -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
