IETF Logo Mail Archive

Re: [certid] Comments on draft-saintandre-tls-server-id-check-03

Nelson B Bolyard <nelson@bolyard.me> Wed, 21 April 2010 03:06 UTC

Return-Path: <nelson@bolyard.me>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A1E53A6C0C for <certid@core3.amsl.com>; Tue, 20 Apr 2010 20:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6Vow4LBNhwO for <certid@core3.amsl.com>; Tue, 20 Apr 2010 20:06:56 -0700 (PDT)
Received: from smtpauth16.prod.mesa1.secureserver.net (smtpauth16.prod.mesa1.secureserver.net [64.202.165.22]) by core3.amsl.com (Postfix) with SMTP id D0C2A3A6902 for <certid@ietf.org>; Tue, 20 Apr 2010 20:06:56 -0700 (PDT)
Received: (qmail 5302 invoked from network); 21 Apr 2010 03:06:46 -0000
Received: from unknown (74.121.22.10) by smtpauth16.prod.mesa1.secureserver.net (64.202.165.22) with ESMTP; 21 Apr 2010 03:06:46 -0000
Message-ID: <4BCE6BBE.7070104@bolyard.me>
Date: Tue, 20 Apr 2010 20:06:38 -0700
From: Nelson B Bolyard <nelson@bolyard.me>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: =JeffH <Jeff.Hodges@KingsMountain.com>
References: <4BC5E00B.8060003@KingsMountain.com>
In-Reply-To: <4BC5E00B.8060003@KingsMountain.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] Comments on draft-saintandre-tls-server-id-check-03
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2010 03:06:58 -0000

On 2010/04/14 08:32 PDT, =JeffH wrote:
> Thanks for bringing this up Nelson, it's certainly subtle-but-important
> aspects of this spec. Peter and I've been editing the spec and are
> working on addressing these items.
> 
> fwiw..
> 
>> The various standards for translating a DER encoded Name into a string
>> call for the RDNs to be ordered, left to right, from most specific to
>> most general, the reverse of the order in which they appear in the DER
>> encoded certificate.
> 
> AFAICT, there is only one clear non-implementation-specific
> specification for a X.500/LDAP DN string representation, and that's
> (now) RFC4514 (obsoletes 2253, which obsoleted 1779, which obsoleted
> 1485).

Yes, that sequence of RFC is the set of "various standards" to which I was
referring.

> Is there a DN string rep specified anywhere in the ISO specs (I can't
> find one)?

I'm not aware of one.  But people often assume that the tools they most
frequently use implement "the standards".  Increasingly I find that people
assume that certain popular free tools ARE "the standard" for these things.
:( and there are numerous free tools at the moment that don't
follow the above-cited RFCs in this respect.

> IIRC, quipu (a historical ISODE X.500 implementation) had its own DN
> string rep, which was left-to-right, matching the ordering of the DER
> encoded form in the certificate.

v2.8.7 | Report a Bug | By Email