Re: [certid] Need to define "most specific RDN"

Peter Saint-Andre <stpeter@stpeter.im> Wed, 30 June 2010 17:41 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 36C063A6A18 for <certid@core3.amsl.com>; Wed, 30 Jun 2010 10:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.469
X-Spam-Level:
X-Spam-Status: No, score=-2.469 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i+P9mKEBQPSl for <certid@core3.amsl.com>; Wed, 30 Jun 2010 10:41:17 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id E1E653A68CD for <certid@ietf.org>; Wed, 30 Jun 2010 10:41:16 -0700 (PDT)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id BAF1340E4D for <certid@ietf.org>; Wed, 30 Jun 2010 11:41:26 -0600 (MDT)
Message-ID: <4C2B81C3.1040402@stpeter.im>
Date: Wed, 30 Jun 2010 11:41:23 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <p062408bcc83880a30dd0@[10.20.30.158]> <4C2A6E8B.7060005@stpeter.im> <4C2AE05A.4010205@velox.ch>
In-Reply-To: <4C2AE05A.4010205@velox.ch>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms090105090905000501080003"
Subject: Re: [certid] Need to define "most specific RDN"
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 17:41:19 -0000

On 6/30/10 12:12 AM, Kaspar Brand wrote:
> On 30.06.2010 00:07, Peter Saint-Andre wrote:
>> Two questions:
>>
>> 1. Some people use "most significant" and "most specific"
>> interchangeably. Which is correct?
> 
> "most specific", I would say. And "correct" in the sense that it's the
> wording used in RFC 2818 (you won't find this term in X.501 in the
> section about names, e.g.).
> 
>> 2. More substantially, we currently have this text:
>>
>>    The subject field of a PKIX certificate is defined as an X.501 type
>>    Name and known as a Distinguished Name (DN) -- see [X.501] and
>>    [PKIX].  A DN is an ordered sequence of Relative Distinguished Names
>>    (RDNs), where each RDN is a set (i.e., an unordered group) of type-
>>    and-value pairs or "attribute value assertions" (AVAs) [LDAP-DN],
>>    each of which asserts some attribute about the subject of the
>>    certificate.  In the DER encoding of a DN, the RDNs are always in
>>    order from most significant to least significant (i.e., the first RDN
>>    is most significant and the last RDN is least significant); however,
>>    in the string representation of a DN as used in various protocols and
>>    data formats, the RDNs might be ordered from most significant to
>>    least significant (e.g., this is true of LDAP) or from least
>>    significant to most significant.
>>
>> Is the first RDN most specific, or is the last RDN most specific?
> 
> The last (as stated by others already). If we want to be really picky
> with definitions, then
> 
>> where each RDN is a set (i.e., an unordered group) of type-and-value
>> pairs or "attribute value assertions" (AVAs)
> 
> isn't entirely correct. RFC 5280 actually defines
> RelativeDistinguishedName as a SET OF AttributeTypeAndValue (not a SET
> OF AttributeValueAssertion, these have a different syntax, cf. X.501).
> 
> I.e., drop "or 'attribute value assertions' (AVAs)" from the above
> definition, 

Based on feedback from you and from Kurt, I have changed the foregoing
paragraph to:

   Certificates are binary objects -- they are encoded using
   distinguished encoding rules (DER).  Thus, the generation of
   displayable (a.k.a. printable) renderings of certificate subject and
   issuer names means that the DER-encoded sequences are decoded and
   converted into a "string representation" before being rendered.
   Because a DN is an ordered sequence, order is preserved in the string
   representation of a DN.  However, because an RDN is an unordered
   group of attribute-type-and-value pairs, the string representation of
   an RDN can differ from the canonical DER encoding; in the canonical
   encoding, the RDN that is nearest to the root of the naming tree is
   called the "most significant" RDN and the RDN that is deepest in the
   tree (and that therefore distinguishes the relative name) is called
   the "most specific" RDN.  See [LDAP-DN] for details.


> and change the definition of CN-ID to
> 
>       *  CN-ID = a Relative Distinguished Name (RDN) in the certificate
>          subject that contains one and only one type-and-value pair
>          of type Common Name (CN)

Done, thanks.

> (On a somewhat related matter: when referring to subjectAltName entries
> - e.g. in Paul's message on "Empty subjects" - using the term AVA should
> be avoided, too. Simply use "a subjectAltName entry of type X".)

So:

   It is perfectly acceptable for a PKIX certificate to have an empty
   subject field as long as there is at least one subjectAltName entry.

Is that better?

Peter

-- 
Peter Saint-Andre
https://stpeter.im/