Re: Using Arbitrary X509 certificates for LDAPS authentication

[Michael Ströder <michael@stroeder.com>]

Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Stephen Cartwright wrote:
>>>> I looked into this and I don't understand :( Would you please clarify
>>>> why a DN such as "/C=CA/O=Grid/CN=host/somehost.somedomain.ca" is
>>>> broken? You said "somehost.somedomain.ca" is not a valid RDN because
>>>> it just has a value and not a type, however the RDN is not just
>>>> "somehost.somedomain.ca" but "CN=host/somehost.somedomain.ca" which
>>>> has a type of "CN" and a value of "host/somehost.somedomain.ca" does
>>>> it not?
>>>
>>> That wasn't clear to me from the output you posted before. Since you
>>> were posting a DN that uses '/' as its RDN separator, the software that
>>> generated this log output should have escaped the '/' in the attribute
>>> value if that was really the situation. E.g., it should have looked like
>>> /CN=host%2Fsomehost.somedomain.ca.
>>
>> Using top-down-order and / as separator is the standard behaviour of
>> OpenSSL.
>> :-/
> 
> Right, there's nothing wrong with that, it's a well-established practice
> with a long history. But what's wrong is that when you use '/' as a
> separator, then you must escape it when it appears in a value.

Yes, but OpenSSL does not do this since the very beginning. Also I don't know
a formal specification of this /-based string representation. So probably
no-one cares.

Ciao, Michael.