I'm looking for an implementor's agreement on "subordination" of one
distinguished name to another.
In the abstract sense, DN (distinguished name) A is subordinate to DN
B if A contains all the RDNs (relative distinguished names) of B in
the same order, and one or more additional less significant RDNs.
RDNs are the same if they have the same AVAs (attribute-value
assertions), and AVAs are the same if their values compare in the
abstract sense, i.e., independent of character set. (So T.61 "PEM"
matches PrintableString "PEM".)
A consequence of all this abstraction is that A may be subordinate to
B even if A's distinguished encoding is all T.61, and B's is all
PrintableString. (There's no rule in DER that says "choose
PrintableString if you can". Attributes match on T.61 or
PrintableString.) Related to this: I can change my name's encoding
from PrintableString to T.61, and still have the same (abstract)
distinguished name.
I'd like to see an implementor's agreement that says A's distinguished
encoding should be the same as B's for common RDNs. Also, I'd like to
see one that requires an entity to keep the same distinguished
encoding throughout its use of a name. (Note that I'm not calling for
the "choose PrintableString if you can" rule, just "don't change your
encoding, or your superior's encoding when you're a subordinate.")
-- Burt Kaliski