[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: any surveys about DC vs O,C ?

ext Tony Earnshaw (tonni@billy.demon.nl) wrote:
> Perhaps I've misunderstood the question, but isn't this the standard way
> of doing things?

This is probably not the proper mailing list for this discussion. If
somebody knows of a more appropriate one, then please let me know.

Anyway, here goes a more detailed explanation of what I am trying to
gather information about.

Example DN:
cn=Mike Jackson,ou=users,dc=nokia,dc=com

Example X.509 Subject Name:
cn=Mike Jackson,ou=users,o=nokia,c=us

Do you see how they disagree with each other?

RFC3280 states that implementations MUST be able to receive the
domainComponent attribute. So, IMHO, it makes sense to compose a subject
name that matches the directory base instead of opposing it. Howver, the
problem is that quite alot of CA software interfaces (RSA, SSH,
Netscape) make it difficult to use anything except c,o for the subject
name. Some applications have even went so far as to hardcode c,o format
into CMPv2 request forms, etc.

Any opinions on this subject? Anybody here who has implemented a
directory and PKI according to the disagreeing examples that I've shown
above? If so, what problems have you encountered wrt publishing certs,
client application cert lookups, etc?