Re: [certid] Need to define "most specific RDN"
Ludwig Nussel <ludwig.nussel@suse.de> Tue, 06 July 2010 12:33 UTC
Return-Path: <ludwig.nussel@suse.de>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 565F03A6831 for <certid@core3.amsl.com>;
Tue, 6 Jul 2010 05:33:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.649
X-Spam-Level:
X-Spam-Status: No, score=-103.649 tagged_above=-999 required=5
tests=[BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4,
USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uchJ4+fDCd7z for
<certid@core3.amsl.com>; Tue, 6 Jul 2010 05:33:27 -0700 (PDT)
Received: from mx2.suse.de (cantor2.suse.de [195.135.220.15]) by
core3.amsl.com (Postfix) with ESMTP id 33ED53A6887 for <certid@ietf.org>;
Tue, 6 Jul 2010 05:33:27 -0700 (PDT)
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.221.2]) by
mx2.suse.de (Postfix) with ESMTP id BB77187567 for <certid@ietf.org>;
Tue, 6 Jul 2010 14:33:28 +0200 (CEST)
From: Ludwig Nussel <ludwig.nussel@suse.de>
To: certid@ietf.org
Date: Tue, 6 Jul 2010 14:35:29 +0200
User-Agent: KMail/1.13.3 (Linux/2.6.34-9-desktop; KDE/4.4.3; x86_64; ; )
References: <201006301746.o5UHkIsE019133@fs4113.wdf.sap.corp>
<4C2B843A.5010206@stpeter.im> <4C305B93.9090001@velox.ch>
In-Reply-To: <4C305B93.9090001@velox.ch>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201007061435.29786.ludwig.nussel@suse.de>
Subject: Re: [certid] Need to define "most specific RDN"
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 12:33:28 -0000
Kaspar Brand wrote: > [1] Re-reading section 3.1 in RFC 2818 can actually confirm this > hypothesis, under the following interpretation: "the (most specific) > Common Name field in the Subject field of the certificate MUST be used" > can be understood to mean the domain name which has the highest number > of DNS labels: if the subject has CN=foo.example.net and CN=example.net, > then the first one must be used for the identity check (it's more > specific than CN=example.net), irrespective of its position in the DER > encoded subject, actually. That interpretation at least doesn't require knowledge about certificate encoding subtleties. It's ambiguous though. You could have several CN with an equal number of dots after all. Just think of this one: http://www.mail-archive.com/openssl-users@openssl.org/msg61198.html cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
- [certid] Need to define "most specific RDN" Paul Hoffman
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Bruno Harbulot
- Re: [certid] Need to define "most specific RDN" Paul Hoffman
- Re: [certid] Need to define "most specific RDN" Peter Sylvester
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Kurt Zeilenga
- Re: [certid] Need to define "most specific RDN" Peter Sylvester
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Love Hörnquist Åstrand
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" =JeffH
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Ludwig Nussel
- Re: [certid] Need to define "most specific RDN" Peter Sylvester
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Paul Hoffman
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Nelson B Bolyard
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Nelson B Bolyard
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Ludwig Nussel
- Re: [certid] Need to define "most specific RDN" Nelson B Bolyard
- Re: [certid] Need to define "most specific RDN" Paul Tiemann
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Nelson B Bolyard
- Re: [certid] Need to define "most specific RDN" Kaspar Brand
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Shumon Huque
- Re: [certid] Need to define "most specific RDN" Martin Rex
- Re: [certid] Need to define "most specific RDN" Shumon Huque
- Re: [certid] Need to define "most specific RDN" Peter Sylvester
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Need to define "most specific RDN" Peter Saint-Andre
- Re: [certid] Name constraints and legacy clients Matt McCutchen
- Re: [certid] Name constraints and legacy clients Matt McCutchen
- Re: [certid] Name constraints and legacy clients Paul Tiemann