[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authmeth-16 TLS issues
Hallvard B Furuseth wrote:
Roger Harrison writes:
The server's identity may also be verified by comparing the reference
identity to the Common Name value of the least significant RDN of the
subjectName field of the server's certificate. Note that the TLS
implementation may display DNs in certificates according to X.509's
rules rather than LDAP's rules. For example, RDNs in a DN may be
ordered left-to-right instead of right-to-left.
Upon further reflection, I would make this
Note that the TLS
implementation may display DNs in certificates according to X.509's
conventions rather than LDAP's rules.
as there really are no rules in X.500 for displaying DNs.
I still think "the RDN" is clearer than "the least significant RDN",
since I'm not used to the term "least significant" with this meaning for
non-numbers.
Another choice could be "most inferior" though it's not much better.
But, both terms are in keeping with the X.500 definition of a DN.
I guess "the RDN" is better if it is more explicitly qualified:
The server's identity may also be verified by comparing the reference
identity to the value of the Common Name attribute in the RDN of the
entity named by the server certificate's DN.
I.e., a DN is a sequence of RDNs, but only one RDN names the entity in
question, the others name the parents/ancestors.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/