IETF Logo Mail Archive

Re: [certid] version -11

Peter Saint-Andre <stpeter@stpeter.im> Mon, 29 November 2010 23:30 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C7353A6BCF for <certid@core3.amsl.com>; Mon, 29 Nov 2010 15:30:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.456
X-Spam-Level:
X-Spam-Status: No, score=-102.456 tagged_above=-999 required=5 tests=[AWL=0.143, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8huauhcIZJc for <certid@core3.amsl.com>; Mon, 29 Nov 2010 15:30:37 -0800 (PST)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 077723A6BCD for <certid@ietf.org>; Mon, 29 Nov 2010 15:30:37 -0800 (PST)
Received: from dhcp-64-101-72-234.cisco.com (dhcp-64-101-72-234.cisco.com [64.101.72.234]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 621AB4009B; Mon, 29 Nov 2010 16:42:51 -0700 (MST)
Message-ID: <4CF437E1.2030703@stpeter.im>
Date: Mon, 29 Nov 2010 16:31:45 -0700
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <4CE47F39.4030401@stpeter.im> <p06240809c915a0a81157@[10.20.30.150]> <4CF436F5.1030807@stpeter.im>
In-Reply-To: <4CF436F5.1030807@stpeter.im>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms050003000907080805040409"
Cc: certid@ietf.org
Subject: Re: [certid] version -11
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2010 23:30:39 -0000

On 11/29/10 4:27 PM, Peter Saint-Andre wrote:
> On 11/26/10 10:46 AM, Paul Hoffman wrote:
>
>> - Paragraph and section breaks are your friend. The "Implementation
>> Note" at the end of 2.3 is more properly "Many Implementation Notes"
>> and probably deserves its own subsection.
> 
> Good point, will place that into a new subsection and split up the long
> paragraph into smaller chunks.

2.3.1.  Implementation Notes

   Confusion sometimes arises from different renderings or encodings of
   the hierarchical information contained in a certificate.

   Certificates are binary objects and are encoded using the
   Distinguished Encoding Rules (DER) specified in [X.690].  However,
   some implementations generate displayable (a.k.a. printable)
   renderings of the certificate issuer, subject field, and
   subjectAltName extension, and these renderings convert the DER-
   encoded sequences into a "string representation" before being
   displayed.  Because a Distinguished Name (DN) is an ordered sequence,
   order is typically preserved in the DN string representations,
   although the two most prevalent DN string representations differ in
   employing left-to-right vs. right-to-left ordering.  However, because
   a Relative Distinguished Name (RDN) is an unordered group of
   attribute-type-and-value pairs, the string representation of an RDN
   can differ from the canonical DER encoding (and the order of
   attribute-type-and-value pairs can differ in the RDN string
   representations or display orders provided by various
   implementations).  Furthermore, various specifications refer to the
   order of RDNs using terminology that is not directly related to the
   information hierarchy, such as "most specific" vs. "least specific",
   "left-most" vs. "right-most", "first" vs. "last", or "most
   significant" vs. "least significant" (see for example [LDAP-DN]).

   To reduce confusion, in this specification we avoid such terms and
   instead use the terms provided under Section 1.5; in particular, we
   do not use the term "(most specific) Common Name field in the subject
   field" from [HTTP-TLS] and instead state that a CN-ID is a Relative
   Distinguished Name (RDN) in the certificate subject that contains one
   and only one attribute-type-and-value pair of type Common Name (thus
   removing the possibility that an RDN might contain multiple AVAs of
   type CN, one of which would be considered "most specific").

   Finally, although theoretically some consider the order of AVAs
   within an RDN to have meaning, in practice that rule is not observed.
   An AVA of type CN to be valid at any position within the subject
   field.

v2.8.7 | Report a Bug | By Email