|
I've reworked this paragraph on the CN/subjectName check based on several comments in this thread. Here's what I now have:
The server's identity may also be verified by comparing the reference identity to the Common Name value in the leaf RDN of the subjectName field of the server's certificate. Note that the TLS implementation may display DNs in certificates according to X.509 conventions. For example, some X.500 implementations order the RDNs in a DN using a left-to-right (most significant to least significant) convention instead of LDAP's right‑to‑left convention. This comparison is performed using the rules for comparison of DNS names in section 3.1.3.1 below, with the exception that no wildcard matching is allowed. Although the use of the Common Name value is existing practice, it is deprecated and Certification Authorities are encouraged to provide subjectAltName values instead.
Comments and feedback are welcome.
Roger
>>> Hallvard B Furuseth <h.b.furuseth@usit.uio.no> 10/20/05 3:14 pm >>>
Howard Chu writes:
>Hallvard B Furuseth wrote:
>>Roger Harrison writes:
>>> The server's identity may also be verified by comparing the reference
>>> identity to the Common Name value of the least significant RDN of the
>>> subjectName field of the server's certificate. Note that the TLS
>>> implementation may display DNs in certificates according to X.509's
>>> rules rather than LDAP's rules. For example, RDNs in a DN may be
>>> ordered left-to-right instead of right-to-left.
>
> Upon further reflection, I would make this
>
> Note that the TLS
> implementation may display DNs in certificates according to X.509's
> conventions rather than LDAP's rules.
>
> as there really are no rules in X.500 for displaying DNs.
Sorry about that, I forgot to deal with that in my suggestion. Still,
the left-to-right vs right-to-left issue has caused confusion, as
someone mentioned. Is this (in addition to your sentence) better?
For example, some X.500 implementations order <RDNs in a DN, or
DN components, or whatever - see below> left-to-right instead
of LDAP's right-to-left.
>> I still think "the RDN" is clearer than "the least significant RDN",
>> since I'm not used to the term "least significant" with this meaning for
>> non-numbers.
I withdraw that suggestion, I forgot that "the RDN" is unique for entity
and not for a DN, as Howards mentions below.
> Another choice could be "most inferior" though it's not much better.
> But, both terms are in keeping with the X.500 definition of a DN.
Does seem a bit better. Anyway, if both are X.500 terms I guess there
isn't much to do.
> I guess "the RDN" is better if it is more explicitly qualified:
>
> The server's identity may also be verified by comparing the reference
> identity to the value of the Common Name attribute in the RDN of the
> entity named by the server certificate's DN.
No - that may lead some people to believe the named entity must exist in
the local LDAP directory.
> I.e., a DN is a sequence of RDNs, but only one RDN names the entity in
> question, the others name the parents/ancestors.
--
Hallvard
|