> The hierarchy information does not appear to be preserved.
But it only appears so. OpenSSL does not know how to render it
properly (hence I say it is not very common in PKI), but they
started supporting that when generating certificates, with the
-multivalue-rdn option for req, and if you do
openssl asn1parse -in ca1.crt
you see that they differ:
(ca1)
l= 17 cons: SEQUENCE
l= 10 prim: OBJECT :domainComponent
l= 3 prim: IA5STRING :org
l= 22 cons: SET
l= 20 cons: SEQUENCE
l= 10 prim: OBJECT :domainComponent
l= 6 prim: IA5STRING :python
l= 12 cons: SET
l= 10 cons: SEQUENCE
l= 3 prim: OBJECT :commonName
l= 3 prim: PRINTABLESTRING :foo
l= 12 cons: SET
l= 10 cons: SEQUENCE
l= 3 prim: OBJECT :commonName
l= 3 prim: PRINTABLESTRING :bar
(ca2)
l= 17 cons: SEQUENCE
l= 10 prim: OBJECT :domainComponent
l= 3 prim: IA5STRING :org
l= 22 cons: SET
l= 20 cons: SEQUENCE
l= 10 prim: OBJECT :domainComponent
l= 6 prim: IA5STRING :python
l= 26 cons: SET
l= 11 cons: SEQUENCE
l= 3 prim: OBJECT :commonName
l= 4 prim: PRINTABLESTRING :bar2
l= 11 cons: SEQUENCE
l= 3 prim: OBJECT :commonName
l= 4 prim: PRINTABLESTRING :foo2
In the first case, foo and bar are in different sets, in the
second case, they are in the same set.
For people concerned about security, that makes a difference.
If OpenSSL actually supports that in its APIs, my proposal
would be to make a multi-valued RDN a more-than-two-tuple,
e.g.
(('DC','org'),('DC','python'),('CN','bar2','CN','foo2'))
That would make it possible to distinguish the names (pun
intended), yet still don't produce structural overhead for
the normal case of single-valued RDNs.
Regards,
Martin
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
