IETF Logo Mail Archive

Re: [certid] Need to define "most specific RDN"

Peter Saint-Andre <stpeter@stpeter.im> Wed, 30 June 2010 21:56 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4FDCF3A695F for <certid@core3.amsl.com>; Wed, 30 Jun 2010 14:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.512
X-Spam-Level:
X-Spam-Status: No, score=-2.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1m6oEVAm9ua9 for <certid@core3.amsl.com>; Wed, 30 Jun 2010 14:56:22 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id E9BD33A69CE for <certid@ietf.org>; Wed, 30 Jun 2010 14:56:21 -0700 (PDT)
Received: from leavealone.cisco.com (72-163-0-129.cisco.com [72.163.0.129]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 125DF40E4D for <certid@ietf.org>; Wed, 30 Jun 2010 15:56:31 -0600 (MDT)
Message-ID: <4C2BBD8D.5080300@stpeter.im>
Date: Wed, 30 Jun 2010 15:56:29 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: "certid@ietf.org" <certid@ietf.org>
References: <201006301746.o5UHkIsE019133@fs4113.wdf.sap.corp> <4C2B843A.5010206@stpeter.im> <5571525D-A0FF-4A9B-A040-1F2DFDEFE491@apple.com>
In-Reply-To: <5571525D-A0FF-4A9B-A040-1F2DFDEFE491@apple.com>
X-Enigmail-Version: 1.0.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms020900050407060601090600"
Subject: Re: [certid] Need to define "most specific RDN"
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 21:56:23 -0000

On 6/30/10 2:51 PM, Love Hörnquist Åstrand wrote:
> 
> 30 jun 2010 kl. 10:51 skrev Peter Saint-Andre <stpeter@stpeter.im>im>:
> 
>> On 6/30/10 11:46 AM, Martin Rex wrote:
>>> Peter Saint-Andre wrote:
>>>> 
>>>> Based on feedback from you and from Kurt, I have changed the
>>>> foregoing paragraph to:
>>>> 
>>>> Certificates are binary objects -- they are encoded using 
>>>> distinguished encoding rules (DER).  Thus, the generation of 
>>>> displayable (a.k.a. printable) renderings of certificate
>>>> subject and issuer names means that the DER-encoded sequences
>>>> are decoded and converted into a "string representation" before
>>>> being rendered. Because a DN is an ordered sequence, order is
>>>> preserved in the string representation of a DN.  However,
>>>> because an RDN is an unordered group of
>>>> attribute-type-and-value pairs, the string representation of an
>>>> RDN can differ from the canonical DER encoding; in the
>>>> canonical encoding, the RDN that is nearest to the root of the
>>>> naming tree is called the "most significant" RDN and the RDN
>>>> that is deepest in the tree (and that therefore distinguishes
>>>> the relative name) is called the "most specific" RDN.  See
>>>> [LDAP-DN] for details.
>>> 
>>> I'm actually confused by refering to one end with "most
>>> significant" and the other with "most specific".  Couldn't we
>>> just drop the "most significant" entirely and use "least
>>> specific" / "most specific" for the two ends?
>> 
>> Given that we never use the term "most significant" in this I-D,
>> I'd say we can remove any mention of it.
> 
> Peter,
> 
> Can you please add a DER encoded Name, the asn1parse/dump version of
> the name, and the LDAP version of string and annotation what the
> different parts are called, this confuses me every time I try to in
> parse the rfc's and drafts.

I'm still just learning about all of these different terms, formats,
versions, and representations. And yes it is quite confusing. Perhaps
I'll ask one of the co-editors or contributors to come up with a good
example as you have requested...

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email