Re: [certid] Need to define "most specific RDN"

[Bruno Harbulot <Bruno.Harbulot@manchester.ac.uk>]

On 29/06/2010 23:07, Peter Saint-Andre wrote:
> On 6/11/10 6:10 PM, Paul Hoffman wrote:
>>> However, if this legacy identifer configuration is employed, then
>>> the server's fully-qualified DNS domain name MUST be placed in the
>>> last (most specific) RDN within the RDN sequence making up the
>>> certificate's subjectName, as the order of RDNs is determined by
>>> the DER- encoded Name within the server's PKIX certificate.
>>
>> I always get this wrong, so I assume people less familiar with PKIX
>> do as well. Before you say "(most specific)" as if it was a toss-off,
>> you should define "most specific RDN" as "the last RDN within a
>> sequence", probably in section 1.3.
>
> Two questions:
>
> 1. Some people use "most significant" and "most specific"
> interchangeably. Which is correct?
>
> 2. More substantially, we currently have this text:
>
>     The subject field of a PKIX certificate is defined as an X.501 type
>     Name and known as a Distinguished Name (DN) -- see [X.501] and
>     [PKIX].  A DN is an ordered sequence of Relative Distinguished Names
>     (RDNs), where each RDN is a set (i.e., an unordered group) of type-
>     and-value pairs or "attribute value assertions" (AVAs) [LDAP-DN],
>     each of which asserts some attribute about the subject of the
>     certificate.  In the DER encoding of a DN, the RDNs are always in
>     order from most significant to least significant (i.e., the first RDN
>     is most significant and the last RDN is least significant); however,
>     in the string representation of a DN as used in various protocols and
>     data formats, the RDNs might be ordered from most significant to
>     least significant (e.g., this is true of LDAP) or from least
>     significant to most significant.
>
> Is the first RDN most specific, or is the last RDN most specific? I
> realize that the first one now will later be last [1] depending on the
> string representation, but my understanding is that in the DER encoding
> it's the first RDN that is most specific. Corrections are welcome.

I've always understood (perhaps by mistake) that the most specific was 
the last in the sequence. This also seems to reflect going "deeper" in 
the LDAP tree.

For example, (from www.google.com:443), the Subject DN is:

  156  104:     SEQUENCE {
  158   11:       SET {
  160    9:         SEQUENCE {
  162    3:           OBJECT IDENTIFIER countryName (2 5 4 6)
  167    2:           PrintableString 'US'
          :           }
          :         }
  171   19:       SET {
  173   17:         SEQUENCE {
  175    3:           OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
  180   10:           PrintableString 'California'
          :           }
          :         }
  192   22:       SET {
  194   20:         SEQUENCE {
  196    3:           OBJECT IDENTIFIER localityName (2 5 4 7)
  201   13:           TeletexString 'Mountain View'
          :           }
          :         }
  216   19:       SET {
  218   17:         SEQUENCE {
  220    3:           OBJECT IDENTIFIER organizationName (2 5 4 10)
  225   10:           TeletexString 'Google Inc'
          :           }
          :         }
  237   23:       SET {
  239   21:         SEQUENCE {
  241    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  246   14:           TeletexString 'www.google.com'
          :           }
          :         }
          :       }



I think most I've seen follow this naming structure: country first and 
CN last. Intuitively, this seems to suggest that the first in the 
sequence is the least specific and that the last in the sequence is the 
most specific, if we use this terminology. (Is this correct?)


Best wishes,

Bruno.