Martin Rex <[email protected]> noted on
Wed, 12 May 2010 00:47:30 +0200 (MEST)...
>
> Further complicating the issue: While DER encoding leaves the ordering
> of the contents of an ASN.1 SEQUENCE as is, the ordering of the contents
> of an ASN.1 SET is "canonicalized" by DER encoding (based on the
> numeric ordering of the final binary encoding of each element).
> So the shorter elements will always end up first in RDNames
> containing multiple attribute-value pairs in a SET.
>
> i.e.
>
> CN=Foo+2.5.4.5=123ABC,O=bar,C=ZZ
> 2.5.4.5=227DEF+CN=LongName,O=bar,C=ZZ
Nelson B Bolyard <[email protected]> wrote on Fri, 04 Jun 2010 10:11:29 -0700
>
> On 2010-06-04 02:35 PDT, Peter Sylvester wrote:
>>
>> You can have two AVAs of the same type in the on RDN, i.e.
>> two common names in the same RDN. There the interpretation
>> of most-significant is not clear.
>
> Agreed, in principle. In practice, I've never seen a certificate produced
> by a real CA with multiple AVAs in a single RDN. I've seen them in certs
> produced by test scripts, and by people playing with OpenSSL. :)
And Kaspar Brand <[email protected]> had pointed out on
Thu, 13 May 2010 09:40:12 +0200
>
> Here's some data. It's from a sample of about 90,000 non self-issued
> certs (from commercial CAs, most likely reflecting shares like those in
> http://news.netcraft.com/SSL-survey). The data are from the beginning
> of 2009, but I don't think the situation has considerably changed
> in between.
>
> The second colum shows the RDNs in the order they have in the
> ASN.1 subject SEQUENCE, while the first colum gives the number of
> occurences of such a cert (only the "top 15" are shown).
>
> 19464 C, O, OU, OU, OU, CN
> 15657 C, ST, L, O, OU, CN
> 6859 O, OU, CN
> 5603 C, ST, L, O, OU, OU, CN
> 4983 C, ST, L, O, OU, OU, OU, OU, CN
> 4813 C, ST, L, O, CN
<snip/>
I personally seem to recall observing certs in the wild whose string-formatted
DNames included the "+" notation as Martin illustrates above, and which denotes
an RDN SET, although I don't recall whether such certs were produced by "real
CAs" as Nelson terms a certain subclass of CAs.
Kaspar -- would information wrt multi-valued RDNames be embodied in the sample
you used to generate the above info you shared with the list? If so, are there
any occurances, and if so what's the frequency?
thanks,
=JeffH
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
