At 7:52 PM +0200 6/21/10, Michael Ströder wrote: >Paul Hoffman wrote: >> At 4:42 PM +0200 6/19/10, Michael Ströder wrote: >>> Alexey Melnikov wrote: >>>> Paul Hoffman wrote: >>>>> No, I'm saying that the order in which you are supposed to take the >>>>> DCs has historically been unclear. "Most significant" means different >>>>> things to different people. >>>>> >>>> I probably sound like a broken record, but the order is very clear for >>>> LDAP. I don't see why is this going to be different for X.509 certificates. >>> >>> Yes, I concur RFC 2247 is pretty clear and is meant to be applied to X.500 >>> names as well. >> >> ...and you think that all (or even typical) PKIX implementers read either >> of those documents? > >Some of them do. > >If you dig in mailing list archives you will find that I know enough about >deficiencies of real-world software. And I tracked down quite a few bugs in >software of "major" PKI vendors some of them related to DN (string) handling. > >But what does that tell us? To give up writing or referencing RFCs?
It tells us that, when there are multiple ways to do things, and some of those ways are known to be insecure due to repeated poor implementations, we can say "don't do that" for the bad ways. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
