Re: [certid] Comments on draft-saintandre-tls-server-id-check-03

[=JeffH <Jeff.Hodges@KingsMountain.com>]

 > Is this text more accurate?
 >
 >    The subject field of a PKIX certificate is defined as a X.501 type
 >    Name and known as a Distinguished Name (DN) -- see [X.501] and
 >    [PKIX].  A DN is an ordered sequence of Relative Distinguished Name
 >    (RDNs), where an RDN is a set (i.e., an unordered group) of type-and-
 >    value pairs [LDAP-DN], each of which asserts some attribute about the
 >    subject of the certificate.

yes, IMV.


 > BTW I don't see any evidence for the following claim in RFC 4514:
 >
 >    The RDNs are ordered in the DN sequence from
 >    most general to most specific.

It is in X.501 (V3 (4th edition) section 9.7)..

   The distinguished name of a given object is defined as that name which
   consists of the sequence of the RDNs of the entry which represents the
   object and those of all of its superior entries (in descending order).


However, various (many? most?) CAs don't have an actual X.500 / LDAP directory 
with actual entries for the subjects of the certs they issue, and so concoct 
their subjectName DNs outta thin air (more or less) and so the notion that the 
RDNs in such DNs are ordered from most general to most specific doesn't 
necessarily hold (from what I understand).

So I'm not sure right now what to say about that. I suspect we can still 
stipulate that the only RDN having attr type of CN that we'll pay attention to 
is the one at the far end of the RDN sequence comprising the DN.

=JeffH