> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Bell
> Howard Chu schrieb: > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Bell > > > > > > What do you want to say with this answer? The problem has > nothing to do > > > with signature verification. If you use "openssl x509" or any other > > > openssl command then you will see a DN. The question is, why is the > > > order (in which the DN is displayed) different from the one used for > > > LDAP. Use X.500 the opposite order of LDAP? > > > > There is no bug, unless you consider LDAP itself a bug. Yes, > LDAP uses the > > opposite order from X.500. OpenSSL is using the correct (X.500) order. > > Until now I thought X.500 uses ASN.1 encoded DNs only and LDAP supports > UTF-8 too. So there is a definition in X.500 how to transform ASN.1 > encoded DNs to UTF-8? The question makes no sense. ASN.1 is a specification for a transmission format, but it doesn't make detailed specifications of the semantics of the transmitted data. Both X.500 and LDAP use ASN.1 for their over-the-wire data transfers. UTF-8 is also simply a specification for the formatting of character-data, it says nothing about the semantics of strings of characters. At its core, LDAP is simply a different front-end for the X.500 information model. A DN is a name that uniquely identifies an object in the X.500 name space. Practically speaking, a DN is a DN. In pure X.500, DNs are specified to be big-endian, most-significant component listed first. An X.500 directory path follows the same convention as a Unix filesystem path in this regard. In LDAP, the convention is to display the DNs in the opposite order, but the semantic meaning of the DN is unchanged. The X.500 representation /c=us/o=foo/ou=people/cn=joe specifies the exact same object as the LDAP DN cn=joe,ou=people,o=foo,c=us The difference is purely a matter of presentation. To answer your question "is there a definition of how to transform X.500 DNs to LDAP representation?" the answer is yes, it's RFC 2253. -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]