On 02-04-16 11:02:58 CEST, Howard Chu wrote: > the order of everything. Certificates are specified in X.509 and are > properly > a part of the X.500 family, and the X.500 DN syntax is clearly specified.
the syntax is clearly specified, but the only thing that i could find about the RDN order is implicit from an example DN in X.501 that starts with "{ C=US, ". where does it explicitly say that DNs should start with the most significant part at the left end and continue to the least significant? > Any software that claims to support X.509 certificates must operate using > X.500 syntax. The LDAP DN specification is backwards, and a cert with > "backwards" DNs could only be considered to be broken, and certainly will > not be interoperable with the vast majority of already deployed PKI. is the order part of X.500 syntax (isn't it semantics?) or is it just a general convention? and why is LDAP reversed? because LDAP is an internet standard and the internet's DNS domain names are ordered that way? in peter gutmann's X.509 style guide i see both sort orders mentioned... so, how does one best handle this mess? expect X.509 DNs to be big endian and reverse them to be little endian for use with LDAP? i'm assuming here that in both cases the display order is the same as the ASN.1 SEQUENCE order. is that assumption correct? (in other words: do the ASN.1 representations (DER) for X.509 and LDAP DNs differ or just their human readable presentation?) rj ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]