Per the discussion quoted in part below, there is another
thing to be mindful of.
According to [9594-2 | X.501], leaving off the last RDN
("last," that is, using the notation employed in this
discussion so far) must also yield the name of an object.
So while Tom's examples below may refer to technically
valid Distinguished Names, from a Directory point of
view they imply the existence of (referring to the second
example) some object class named by an OrganizationName
and a CommonName together, and which can have as a
subordinate some other object class named by the pair
Locality and CommonName.
Offhand I'd say that none of the object classes laid out in
[9594-7 | X.521] would work in quite this way, but the
Directory certainly doesn't prevent you from making
such classes up.
Now I hasten to add that I realize we are *not*, in fact,
talking about the Directory, but rather about PEM, which
although it employs the DN concept from the Directory
standard, does not necessarily deal with Directory
objects.
However, if it is still envisioned that PEM will someday
use an X.500-based Directory as a certificate and CRL
respository (for example), then keeping these
additional restrictions in mind may be important.
From a strict application of X.501 I can see that, but what about
{ (c=US); (st=California); (o=DBC); (l=Mountain View);
(l=Santa Clara)}
>From my reading of the X.500's this must be legal.
This is legal because within each RDN the attributes are
distinct. The localilty attribute is allowed to appear
in more than one RDN. [...]
And so should
{ (c=US); (st=Confusion); (o=DBC, cn=MTRose); (l=Santa Clara,
cn=Marshall)}
This is also legal, for the same reason
--
KENR(_at_)SHL(_dot_)COM
Systemhouse