[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth-16 TLS issues

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: authmeth-16 TLS issues
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 20 Oct 2005 23:14:46 +0200
Cc: Roger Harrison <RHARRISON@novell.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <43580379.2010603@highlandsun.com>
References: <hbf.20051020elu9@bombur.uio.no> <435751B5.DBA8.00BF.0@novell.com> <hbf.20051020ufcz@bombur.uio.no> <4357926E.DBA8.00BF.0@novell.com> <hbf.20051020ptp5@bombur.uio.no> <43580379.2010603@highlandsun.com>

Howard Chu writes:
>Hallvard B Furuseth wrote:
>>Roger Harrison writes:
>>> The server's identity may also be verified by comparing the reference
>>> identity to the Common Name value of the least significant RDN of the
>>> subjectName field of the server's certificate.  Note that the TLS
>>> implementation may display DNs in certificates according to X.509's
>>> rules rather than LDAP's rules.  For example, RDNs in a DN may be
>>> ordered left-to-right instead of right-to-left.
>
> Upon further reflection, I would make this
>
>    Note that the TLS
>    implementation may display DNs in certificates according to X.509's
>    conventions rather than LDAP's rules.
>
> as there really are no rules in X.500 for displaying DNs.

Sorry about that, I forgot to deal with that in my suggestion.  Still,
the left-to-right vs right-to-left issue has caused confusion, as
someone mentioned.  Is this (in addition to your sentence) better?

     For example, some X.500 implementations order <RDNs in a DN, or
     DN components, or whatever - see below> left-to-right instead
     of LDAP's right-to-left.

>> I still think "the RDN" is clearer than "the least significant RDN",
>> since I'm not used to the term "least significant" with this meaning for
>> non-numbers.

I withdraw that suggestion, I forgot that "the RDN" is unique for entity
and not for a DN, as Howards mentions below.


> Another choice could be "most inferior" though it's not much better.
> But, both terms are in keeping with the X.500 definition of a DN.

Does seem a bit better.  Anyway, if both are X.500 terms I guess there
isn't much to do.

> I guess "the RDN" is better if it is more explicitly qualified:
>
>    The server's identity may also be verified by comparing the reference
>    identity to the value of the Common Name attribute in the RDN of the
>    entity named by the server certificate's DN.

No - that may lead some people to believe the named entity must exist in
the local LDAP directory.

> I.e., a DN is a sequence of RDNs, but only one RDN names the entity in
> question, the others name the parents/ancestors.

-- 
Hallvard

Follow-Ups:
- Re: authmeth-16 TLS issues
  - From: "Roger Harrison" <RHARRISON@novell.com>

References:
- authmeth-16 TLS issues
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-16 TLS issues
  - From: "Roger Harrison" <RHARRISON@novell.com>
- Re: authmeth-16 TLS issues
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-16 TLS issues
  - From: "Roger Harrison" <RHARRISON@novell.com>
- Re: authmeth-16 TLS issues
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-16 TLS issues
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: SASL Semantics Within LDAP
Next by Date: Re: authmeth-15 notes
Index(es):
- Chronological
- Thread