In message <[EMAIL PROTECTED]> on Mon, 17 Nov 2003 22:16:45 +1100, "Steven Reddie" <[EMAIL PROTECTED]> said:
smr> I have come across a certificate that chokes our software which smr> uses OpenSSL. I haven't dug very deep yet, but was hoping that smr> someone could tell me about any ordering rules for the DN's. smr> smr> openssl asn1parse on the cert produces the dump below which has smr> the order of issuer DN components in the reverse order (CN->C) of smr> what I am used to seeing (C->CN). Is this a legal certificate? smr> My understanding is that the order is fixed by one of the smr> X.400/X.500 standards. Apparently IE and Netscape can quite smr> happily import and export the P12 file that this cert came from. smr> If this encoding is illegal, is it considered best practice to be smr> able to handle it? You're right, the ordering you see is quite unusual. For programs like IE and Netscape, it shouldn't be very important, unless the actually use the DN in a specific order for retrieval. In a LDAP repository or a DAP repository, the story is different, as the certificate will end up in entirely different places, at least of the certificate subject is used as the repository DN (I wouldn't recommend doing that differently, but I know some who do...). I'm not entirely sure you can call any ordering illegal. However, there are some recommendations, and you might end up quite surprised if you do things differently, so from that point of view, on might call that certificate you have "surprising". ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. You don't have to be rich, a $10 donation is appreciated! -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
