>>> X.509 DNs are sets of X.500 attributes, and X.500 >>> attributes may be either single-valued or multiple-valued. >> Conceptually perhaps (although I doubt that). > > I got that from David Chadwick's book at http://sec.cs.kent.ac.uk/x500book/. > > ``An attribute comprises an attribute type and one or more attribute values.''
Ah, ok. But then, the DN is not a *set* of such attributes, but a sequence. > The question is, how would a multiple-valued attribute be represented > in a certificate Name? I'm presuming it would appear as multiple > attributes with the same "type", but different values. Within a single RelativeDistinguishedName, yes. > Order is important in the directory tree, but not (I think) in the DN; > that name is just an unordered set of attributes, because the > hierarchy information has already been lost (the RDN elements cannot > be distinguished from each other using only the internal certificate > information). Hmm. The directory tree only exists through the order in the DN. E.g from http://java.sun.com/products/jndi/tutorial/ldap/models/x500.html "The X.500 namespace is hierarchical. An entry is unambiguously identified by a distinguished name (DN). A distinguished name is the concatenation of selected attributes from each entry, called the relative distinguished name (RDN), in the tree along a path leading from the root down to the named entry." If the RDNs within a DN would not be ordered, you would not get a hierarchical tree, and you could not identify entries unambiguously. > In any case, it certainly sounds to me as if there can be multiple > instances of AttributeTypeAndValue with the same "type" field in a > single Name. So I'll represent them as tuples, which will preserve > the order in which they occur in the certificate, and make the value > immutable. Ok. I think this will still not support multi-valued RDNs properly, but those are uncommon in PKI. Regards, Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
