Charlie Gardiner says
With regard to the application of DER to components of a set of AVAs, isn't
each member of the set a sequence, so that they all have the same tag (0x30)
but different object IDs within the sequences? Since all the tags are the
same, I read that any order is allowed.
the rule to consider here is for the ordering within the SET OF. in X.509|Part
8 that is rule e within clause 9. that rule states that "the compenents of a
Set-of type shall be encoded in asending order of their octet value." note
"octet value" not their "tag value"
this is my interpretation
an RDN is a SET OF AttrributeTypeAndValue
AttrributeTypeAndValue is a SEQUENCE with a type (OBJECT ID) and value (ANY)
contained within.
to do DER for an RDN containing two AttrributeTypeAndValues the following would
occur
for the first component encode the object id following rule a (definite
length encoding) and encode the any using the appropriate rules.
enclose both in the sequence which is then encoded using rule a
do the same for the second component
looking at the octets resulting from the encoding, order the components from
low to high (rule e).
enclose the two ordered components in the set of when is then encoded using
rule a.
as the distinguished name is a sequence of rdns, the rest of the rules are
straightforwardly applied
these is, i believe the correct rules for encoding a general RDN. i believe it
has been stated that PEM restricts the number of AttrributeTypeAndValues in a
RDN to be one so this rule should not have to be envoked for a name in the PEM
environment.
ok all you asn.1 lawyers out there - fire away
hoyt