Re: ASN.1 types for Distinguished names (was: Re: Distinguished names and

[Julian Onions <j.onions@nexor.co.uk>]

When comparing DN's you should actually use the matching rules defined
in X.500 for each RDN component. This tells you whether two components are
equal. So to get it right in all cases is quite laborious.
However, for the majority of cases you can make it simple as there 
in practice only about two matching rules in common usage.

Most components are of syntax DirectoryString and are derived from the
name attribute (http://domen.uninett.no/~hta/ietf/oid/2.5.4.41.html).
These all mostly use caseIgnoreMatch for comparison 
(http://domen.uninett.no/~hta/ietf/oid/2.5.13.2.html) in which 
characters are considered equal if 'corresponding characters' match.
And as X.500 says...

"Where the strings being matched are of different ASN.1 syntax, the
comparison proceeds as normal so long as the corresponding characters
are in both character sets. Otherwise matching fails."

Which implies for implementation, mapping one syntax into another
before comparison.

As to what ASN.1 syntax you choose from the choice - given the above rules
it doesn't much matter providing it is representable. Therefore printable
string is the simplest if you've got the basic latin alphabet. If you need
to represent accents or odd punctuation characters, you need to use
one of the other alternatives, but you could always go for the most complex
encoding if required.

One thing not mentioned in the rules but is a general note, is
that for string syntaxes, space characters are handled specially. That is
- leading and trailing spaces are ignored.
- multiple consecutive spaces are considered to be one space
- a string consisting only of spaces is considered to be equal to a single
  space

Julian.

P.S. As to certificate and CRL extensions - there is a mostly complete
list of the X.500(97) ones at 
http://domen.uninett.no/~hta/ietf/oid/2.5.29.html