Some time ago MTR wrote:
- - - - - - - - - - - -
An RDN is one or more DAVs. A DAV is a Distinguished Attribute Value.
What this means is that any attribute type can occur at most ONCE in an RDN.
So,
(l=Mountain View, o=Dover Beach Consulting)
is a valid RDN, but...
(l=Mountain View, l=Santa Clara, o=Dover Beach Consulting)
is illegal...
Yes, it is legitimate, in fact, likely, that an RDN with
multiple AVAs would have different attribute types.
Regrettably, the above statement is misleading. Let's be concrete:
1. An RDN consists of AT LEAST ONE AVA.
2. An attribute type can occur AT MOST ONCE in an RDN.
So,
{ c=US, st=California, (o=DBC,l=Mountain View)}
is legal, but
{ c=US, st=California, (o=DBC,l=Mountain View,l=Santa Clara)}
is illegal.
- - - - - - - - - - - -
Sorry to respond so late, but I can't find any place in X.509-1988 where
this is precluded. I know that it is hard to order sets when the tags
are the same, but the wording does not seem to prevent it.
This came up when one of my distinguished names had the following in it:
31 17
30 15
06 03 55 04 0b (Organizational Unit Name)
0d 0e Administration
31 0f
30 0d
06 03 55 04 0b
0d 06 NOTARY
Perhaps there is some source besides X.501,509,520 that describes DN's?
Also where are the attribute abbreviations (c=) found?
- - - - - - - - - - - -
I also have a copy of certificate #3 from TIS which has a name that
looks like
31 ..
30 ..
06 03 550406
0d 02 US
31 ..
30 ..
06 03 55040a
0d 1b Trusted Information Systems
31 ..
30 ..
06 03 55040b
0d ...
31 ..
30 ..
06 03 550403
0d ...
Is this an error because the common name(3) is at the end?
Peace ..Tom Jones