Re: [certid] Need to define "most specific RDN"

[Kurt Zeilenga <Kurt.Zeilenga@Isode.com>]

On Jun 29, 2010, at 3:07 PM, Peter Saint-Andre wrote:

> 1. Some people use "most significant" and "most specific"
> interchangeably. Which is correct?

This is bad.  Most significant and most specific are not interchangeable terms.  Most significant refers to the RDN with the greatest value.  That is, the RDN which is nearest the root of the naming tree.  The most specific RDN refers to the RDN which is deepest in the tree, the RDN that is composed of AVAs which distinguish the relative name within a subtree.

In the DN <cn=Kurt Zeilenga,cn=users,o=Example> (using RFC 4513 notation), o=Example is the most significant (e.g, RDN with the greatest value),  and cn=Kurt Zeilenga is the most specific (RDN which is most specific in describing the named object).

> 2. More substantially, we currently have this text:
> 
>   The subject field of a PKIX certificate is defined as an X.501 type
>   Name and known as a Distinguished Name (DN) -- see [X.501] and
>   [PKIX].  A DN is an ordered sequence of Relative Distinguished Names
>   (RDNs), where each RDN is a set (i.e., an unordered group) of type-
>   and-value pairs or "attribute value assertions" (AVAs) [LDAP-DN],
>   each of which asserts some attribute about the subject of the
>   certificate.  In the DER encoding of a DN, the RDNs are always in
>   order from most significant to least significant (i.e., the first RDN
>   is most significant and the last RDN is least significant); however,
>   in the string representation of a DN as used in various protocols and
>   data formats, the RDNs might be ordered from most significant to
>   least significant (e.g., this is true of LDAP) or from least
>   significant to most significant.


One could replace 'least/most significant' here with 'most/least specific'.

Regards, Kurt