On Tue, Jul 04, 2000 at 09:54:37PM -0700, Ben Smith wrote:
>
> This depends on the version of the 509 you are working with, have
> you(obviously not) read any of the RFC's pertaining to this subject? You
> can usually get them of ftp.isi.edu, are via the web at
> www.rfc-editor.org. The one in specific I am thinking about is 2459 which
> details version three cert's. I don't remember the number off hand for
> version one. If you can't find the rfc at either of those locations I
> would be glad to email it to you directly.
RFC2459 doesn't say if you can have more than one of the same element
in a DN. It points the reader to "the X.500 series of specifications"
for further info. Of course X.500 et. al. are ITU specs, which
you have to buy.
I remember seeing something in the X.500 blah-blah specs that say that
it's legal to have more than one of the same element in a DN, but I
can't find it now. Even if it's legal, I don't think that it's a good
idea to do it, as I think that most X.509 packages are not coded to
handle duplicate elements in DNs. There's a whole pile of different DN
elements specd in X.520, if you're looking to add an element to a DN and
can't find an appropriate unused one there, you're not trying very hard.
> -ben smith
>
> On Tue, 27 Jun 2000, Israel Torres wrote:
>
> > Hello,
> >
> > I am trying to troubleshoot a digital certificate. My question is: Can a valid
>X.509 certificate contain more than one OU (organizational unit) for the subject of
>the certificate? Currently it appears that the cert I am examining is not being
>accepted by an IIS 5 server, and I was wondering if it was because of the dual ou's.
>the first ou is a "random number" for "serialization" purposes, and the second ou
>matches the server's ou. Any help would be appreciated!
I have never seen a X.509 cert with two OUs in it. I expect that
a lot of X.509 packages will use one or the other of the OUs, but not
both, depending on how their RDN routines are coded.
If there's two OUs in the client cert's Issuer and one doesn't match
what's in the CA cert's Subject then it should be rejected. I don't think
that the OU should have a "random number" in it for "serialization"--
there's a serial number field for that.
Peter Gutman has a good paper on X.509 compatability. His
web site is http://www.cs.auckland.ac.nz/~pgut001/
(that server appears to be down at the moment though)
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
Security consulting: security models, reviews, protocols, crypto.
