On 06/19/2010 04:56 PM, Paul Hoffman wrote:
At 4:42 PM +0200 6/19/10, Michael Ströder wrote:
Alexey Melnikov wrote:
Paul Hoffman wrote:
No, I'm saying that the order in which you are supposed to take the
DCs has historically been unclear. "Most significant" means different
things to different people.
I probably sound like a broken record, but the order is very clear for
LDAP. I don't see why is this going to be different for X.509 certificates.
Yes, I concur RFC 2247 is pretty clear and is meant to be applied to X.500
names as well.
...and you think that all (or even typical) PKIX implementers read either of
those documents?
And there might be a chance that this gets worse with RFCs
full of unclear justifications. The order in domain components
is as unclear as the order in DNs, i.e. the same confusion can
occur IMO due to the two different string representions.
(openssl vs ldap)
There are two ways, I have seen a real CA having it DN
starting wit CN and ending with C, the whole in a certificate
issued from a Research Network PKI. Was rather simple to explain
and corrected.
Examples in various RFCs mentionned also contain CN. If (and
that might not be clear) CN is regarded as more significant,
then the order of DCs is sufficiently clear IMO. I also wonder if
someone who understands the hierarchy of RDNs would
consider that the hierarchy in the DC sequence is the other
way around. It is more likely that one doesn't think about
any order at all in name components (and implement
names with hash tables) which may be a reasonable
concept with named components.
With the text concerning DCs in RFC 5280 that a CA cannot
assume that a relying party is able to reconstruct a DNS name
from DC components, but the text does not exclude this, thus
one can assume that it is constructed correctly if present.
having said this, I agree with Alexey when he says (in particular
I like the many reasons for the first sentence).
> I personally I don't care if DCs are allowed or not by this document.
But if DCs are to be prohibited in this document, I want to make sure
that the document gives the right reason for that.
Peter
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
