DN formatting

[Christopher Oliva <Chris.Oliva@entrust.com>]

Hi,

I would like some clarification about RFC 2253 with respect to the "#" ASCII
hexstring DN representation.

From what I understand the form of attribute value is only allowed if the
corresponding attribute type name is of the dotted decimal form. The
following examples clarify things:

1) printer=#64,ou=5th floor,o=Org  : illegal since printer attribute type is
not of dotted decimal OID form, the "#" must be escaped as per section 2.4
of RFC 2253. Correct form would be printer=\#64,ou=5th floor,o=Org.

2) 1.3.6.1.4.1.1466.0=#3002 : format is legal but "#3002" does not decode
properly therefore the string is illegal. The fact that it is illegal may
not be detected by the client but would be detected by the directory.

3) 1.3.6.1.4.1.1466.0=hi : this is legal

4) printer=D#64 : Illegal. Even though # is not the first character, the
grammar of RFC 2253 requires it to be escaped even though section 2.4 says
it is OK. Proper form is printer=D\#64.

Is this interpretation correct? Example 1 could be an acceptable DN given
that the attribute type is not in the OID format and one could assume that
the "#" is just a regular character. Or is the opposite true; should the
application always assume that a leading "#" character always designates a
hexstring escaped BER encoding?

Chris.


-----------------------------------------
Chris Oliva
Entrust Technologies

(613) 248-3014
Chris.Oliva@entrust.com
http://www.entrust.com

Mark your calendar now for Entrust SecureSummit '99
June 14-17, Hyatt Grand Cypress Resort, Orlando, FL
-----------------------------------------