On 02-04-16 11:02:58 CEST, Howard Chu wrote:
> the order of everything. Certificates are specified in X.509 and are
> properly
> a part of the X.500 family, and the X.500 DN syntax is clearly specified.
the syntax is clearly specified, but the only thing that i could find
about the RDN order is implicit from an example DN in X.501 that starts
with "{ C=US, ".
where does it explicitly say that DNs should start with the most
significant part at the left end and continue to the least significant?
> Any software that claims to support X.509 certificates must operate using
> X.500 syntax. The LDAP DN specification is backwards, and a cert with
> "backwards" DNs could only be considered to be broken, and certainly will
> not be interoperable with the vast majority of already deployed PKI.
is the order part of X.500 syntax (isn't it semantics?) or is it just
a general convention?
and why is LDAP reversed?
because LDAP is an internet standard and the internet's DNS domain names
are ordered that way?
in peter gutmann's X.509 style guide i see both sort orders mentioned...
so, how does one best handle this mess?
expect X.509 DNs to be big endian and reverse them to be little endian
for use with LDAP?
i'm assuming here that in both cases the display order is the same as
the ASN.1 SEQUENCE order.
is that assumption correct?
(in other words: do the ASN.1 representations (DER) for X.509 and LDAP
DNs differ or just their human readable presentation?)
rj
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
