> On Dec 23, 2018, at 6:01 PM, Kyle Hamilton <aerow...@gmail.com> wrote:
>
> You're right, I typoed. SubjectDN is non-optional. But it can, as
> you mentioned, be an empty sequence.
>
> But for PKIX purposes, it can't be empty if it's an Issuer (because
> IssuerDN can't be empty in the certificates that it issues).
That's an odd use of "it", since the issuerDN while also a DN is not
a subjectDN. The "it" that is the subjectDN is sometimes legitimately
empty. The other "it" that is the issuerDN is supposed to always be
non-empty, but some self-signed certificates violate that requirement
with apparent impunity, e.g. nothing in OpenSSL requires a non-empty
issuer DN in an end-entity self-signed certificate, if it breaks, the
constraint would be at the application layer.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
- Re: [openssl-users] Subject CN and SANs Walter H.
- Re: [openssl-users] Subject CN and SANs Kyle Hamilton
- Re: [openssl-users] Subject CN and SAN... Walter H.
- Re: [openssl-users] Subject CN an... Felipe Gasper
- Re: [openssl-users] Subject CN an... Walter H.
- Re: [openssl-users] Subject CN and SANs Michael Richardson
- Re: [openssl-users] Subject CN and SANs Viktor Dukhovni
- Re: [openssl-users] Subject CN and SANs Kyle Hamilton
- Re: [openssl-users] Subject CN and SANs Viktor Dukhovni
- Re: [openssl-users] Subject CN and SANs Kyle Hamilton
- Re: [openssl-users] Subject CN and SAN... Viktor Dukhovni
- Re: [openssl-users] Subject CN an... Kyle Hamilton
- Re: [openssl-users] Subject CN an... Viktor Dukhovni
- Re: [openssl-users] Subject CN and SANs Felipe Gasper
- Re: [openssl-users] Subject CN and SANs Walter H.
- Re: [openssl-users] Subject CN and SAN... Felipe Gasper
- Re: [openssl-users] Subject CN and SANs chris . gray
