Re: [certid] Domain Components

[Paul Hoffman <paul.hoffman@vpnc.org>]

At 10:56 AM +0200 6/21/10, Peter Sylvester wrote:
>On 06/21/2010 10:27 AM, Michael Ströder wrote:
>>Paul Hoffman wrote:
>>  
>>>particularly because all of the text examples in RFC 5280 say
>>>"dc=example,dc=com".
>>>    
>>And what's wrong with that example?
>>RFC 5280 lists RFC 4514 as informative reference which I read as DNs are in
>>examples are .
>>  
>The citation is taken out of context, all examples also include cn like in:
>
>Appendix C.1 contains an annotated hex dump of a "self-signed"
>   certificate issued by a CA whose distinguished name is
>   cn=Example CA,dc=example,dc=com
>
>and they reference ldap in all parts except appendix C.1
>In C.1 one can read the encoding of that textual representation.
>
>  31   67:     SEQUENCE {
>  33   19:       SET {
>  35   17:         SEQUENCE {
>  37   10:           OBJECT IDENTIFIER
>         :             domainComponent (0 9 2342 19200300 100 1 25)
>  49    3:           IA5String 'com'
>         :           }
>         :         }
>  54   23:       SET {
>  56   21:         SEQUENCE {
>  58   10:           OBJECT IDENTIFIER
>         :             domainComponent (0 9 2342 19200300 100 1 25)
>  70    7:           IA5String 'example'
>         :           }
>         :         }
>  79   19:       SET {
>  81   17:         SEQUENCE {
>  83    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
>  88   10:           PrintableString 'Example CA'
>         :           }
>         :         }
>         :       }

Exactly. Someone reading the *text* of RFC 5280 would see the components in left-to-right order; only those who read the non-normative dumps would see that they actually appear in the certificate in the correct right-to-left order.

No one would ever make the mistake of only reading the normative text, of course...

--Paul Hoffman, Director
--VPN Consortium