On 2010-06-04 02:35 PDT, Peter Sylvester wrote: >> The phrease "the (most specific) Common Name field in the subject field" >> is not plural. There is at most one Common Name attribute in the name >> that is *the* most specific one. The words "most specific" refer to its >> position in the list of RDNs, which are arranged (as encoded in the >> certificate Name field) from most general (first) to most specific >> (last). So, the most specific Common Name is the last of the Common >> Name attributes in the sequence of RDNs, as encoded in the certificate. >> > You can have two AVAs of the same type in the on RDN, i.e. > two common names in the same RDN. There the interpretation > of most-significant is not clear.
Agreed, in principle. In practice, I've never seen a certificate produced by a real CA with multiple AVAs in a single RDN. I've seen them in certs produced by test scripts, and by people playing with OpenSSL. :) > There term of 2818 itself is wrong, there is no such thing > a 'Common Name field'. Agreed, whole heartedly. Still, we know what they meant. But I'm glad this mistake is not repeated in your draft. > If one puts no more than one AVA of type CN into an > RDN, and only one of such RDN, the result is ok. I agree with the first part of that. Don't see why the second restriction is necessary for the result to be OK. > The "(most specific)" is a kind of hint not to put more > than one unless you want to attack like a \0 :-) Yes, an attach to which software that ignores the "most specific" requirement will be vulnerable. > /P > > PS: I "like" the *.ietf.org cert use by the server 'ietf.org' :-) _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
