Re: authmeth-16 TLS issues

[Howard Chu <hyc@highlandsun.com>]

Hallvard B Furuseth wrote:
> Roger Harrison writes:

> > The server's identity may also be verified by comparing the reference
> > identity to the Common Name value of the least significant RDN of the
> > subjectName field of the server's certificate.  Note that the TLS
> > implementation may display DNs in certificates according to X.509's
> > rules rather than LDAP's rules.  For example, RDNs in a DN may be
> > ordered left-to-right instead of right-to-left.

Upon further reflection, I would make this

  Note that the TLS
  implementation may display DNs in certificates according to X.509's
  conventions rather than LDAP's rules.

as there really are no rules in X.500 for displaying DNs.

> I still think "the RDN" is clearer than "the least significant RDN",
> since I'm not used to the term "least significant" with this meaning for
> non-numbers.

Another choice could be "most inferior" though it's not much better. 
But, both terms are in keeping with the X.500 definition of a DN.

I guess "the RDN" is better if it is more explicitly qualified:

  The server's identity may also be verified by comparing the reference
  identity to the value of the Common Name attribute in the RDN of the
  entity named by the server certificate's DN.

I.e., a DN is a sequence of RDNs, but only one RDN names the entity in 
question, the others name the parents/ancestors.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/