Let me phrase my confusion concretely by asking the following:
Is the following RDN valid?
SET OF
SEQUENCE OF
type=organizational unit
value=Division A
SEQUENCE OF
type=organizational unit
value=Testing CA Only
I believe this is valid and is why a set is used... to permit for
multiple values per type.
How about the following?
SET OF
SEQUENCE OF
type=country
value=Zimbawe
SEQUENCE OF
type=state/province
value=Zimmy State
I believe this is not valid although I cannot find any actual
text which says so. This is the kind of thing that COST does.
Instead, this s/b done with two RDNs, which is certainly valid,
but is there anything that rules out the single RDN approach???
It seems wrong although I can't point to "Section X in Document Y."
-Ray
Ray,
Both of these are valid representations from an encoding standpoint
using BER or DER. There is no guidance that I know of for
multivalued RDN components. The interpretation of your first example
seems fairly straight forward, the second is a bit more ambiguous.
Note that use of this "feature" complicates directory schemas
inordinately and may make searches problematic. For signing
purposes (DER) these SET OF elements have a distinct order, but
only for signing purposes. The only mandatory encoding
which must be observed is BER and there there is no defined
evaluation order for SET OF in BER.
It is unfortunate that COST is using this construct, there are many
examples of DIT structures, from the White Pages project to the
examples in X.520 and X.521.
John