[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authmeth-16 TLS issues
Howard Chu writes:
>Hallvard B Furuseth wrote:
>>Roger Harrison writes:
>>> The server's identity may also be verified by comparing the reference
>>> identity to the Common Name value of the least significant RDN of the
>>> subjectName field of the server's certificate. Note that the TLS
>>> implementation may display DNs in certificates according to X.509's
>>> rules rather than LDAP's rules. For example, RDNs in a DN may be
>>> ordered left-to-right instead of right-to-left.
>
> Upon further reflection, I would make this
>
> Note that the TLS
> implementation may display DNs in certificates according to X.509's
> conventions rather than LDAP's rules.
>
> as there really are no rules in X.500 for displaying DNs.
Sorry about that, I forgot to deal with that in my suggestion. Still,
the left-to-right vs right-to-left issue has caused confusion, as
someone mentioned. Is this (in addition to your sentence) better?
For example, some X.500 implementations order <RDNs in a DN, or
DN components, or whatever - see below> left-to-right instead
of LDAP's right-to-left.
>> I still think "the RDN" is clearer than "the least significant RDN",
>> since I'm not used to the term "least significant" with this meaning for
>> non-numbers.
I withdraw that suggestion, I forgot that "the RDN" is unique for entity
and not for a DN, as Howards mentions below.
> Another choice could be "most inferior" though it's not much better.
> But, both terms are in keeping with the X.500 definition of a DN.
Does seem a bit better. Anyway, if both are X.500 terms I guess there
isn't much to do.
> I guess "the RDN" is better if it is more explicitly qualified:
>
> The server's identity may also be verified by comparing the reference
> identity to the value of the Common Name attribute in the RDN of the
> entity named by the server certificate's DN.
No - that may lead some people to believe the named entity must exist in
the local LDAP directory.
> I.e., a DN is a sequence of RDNs, but only one RDN names the entity in
> question, the others name the parents/ancestors.
--
Hallvard