IETF Logo Mail Archive

Re: [certid] Need to define "most specific RDN"

Peter Saint-Andre <stpeter@stpeter.im> Tue, 29 June 2010 22:07 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BD093A67EA for <certid@core3.amsl.com>; Tue, 29 Jun 2010 15:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.423
X-Spam-Level:
X-Spam-Status: No, score=-2.423 tagged_above=-999 required=5 tests=[AWL=0.176, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKY0b7zolexE for <certid@core3.amsl.com>; Tue, 29 Jun 2010 15:06:59 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id E0F3F3A659B for <certid@ietf.org>; Tue, 29 Jun 2010 15:06:58 -0700 (PDT)
Received: from dhcp-64-101-72-121.cisco.com (dhcp-64-101-72-121.cisco.com [64.101.72.121]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 5701E40E4D for <certid@ietf.org>; Tue, 29 Jun 2010 16:07:08 -0600 (MDT)
Message-ID: <4C2A6E8B.7060005@stpeter.im>
Date: Tue, 29 Jun 2010 16:07:07 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: certid@ietf.org
References: <p062408bcc83880a30dd0@[10.20.30.158]>
In-Reply-To: <p062408bcc83880a30dd0@[10.20.30.158]>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040704010700070409060407"
Subject: Re: [certid] Need to define "most specific RDN"
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 22:07:01 -0000

On 6/11/10 6:10 PM, Paul Hoffman wrote:
>> However, if this legacy identifer configuration is employed, then
>> the server's fully-qualified DNS domain name MUST be placed in the
>> last (most specific) RDN within the RDN sequence making up the
>> certificate's subjectName, as the order of RDNs is determined by
>> the DER- encoded Name within the server's PKIX certificate.
> 
> I always get this wrong, so I assume people less familiar with PKIX
> do as well. Before you say "(most specific)" as if it was a toss-off,
> you should define "most specific RDN" as "the last RDN within a
> sequence", probably in section 1.3.

Two questions:

1. Some people use "most significant" and "most specific"
interchangeably. Which is correct?

2. More substantially, we currently have this text:

   The subject field of a PKIX certificate is defined as an X.501 type
   Name and known as a Distinguished Name (DN) -- see [X.501] and
   [PKIX].  A DN is an ordered sequence of Relative Distinguished Names
   (RDNs), where each RDN is a set (i.e., an unordered group) of type-
   and-value pairs or "attribute value assertions" (AVAs) [LDAP-DN],
   each of which asserts some attribute about the subject of the
   certificate.  In the DER encoding of a DN, the RDNs are always in
   order from most significant to least significant (i.e., the first RDN
   is most significant and the last RDN is least significant); however,
   in the string representation of a DN as used in various protocols and
   data formats, the RDNs might be ordered from most significant to
   least significant (e.g., this is true of LDAP) or from least
   significant to most significant.

Is the first RDN most specific, or is the last RDN most specific? I
realize that the first one now will later be last [1] depending on the
string representation, but my understanding is that in the DER encoding
it's the first RDN that is most specific. Corrections are welcome.

/psa

[1] http://www.bobdylan.com/#/songs/the-times-they-are-a-changin

v2.8.7 | Report a Bug | By Email