On the other hand, if a certificate contained
C=US, O=GTE Labs,
organizationalRole={CN="Chief Financial Officer +
roleOccupant=
(C=US,O=GTE,CN="Frank Strouse" +
Title="Director, Finance and Administation" +
Serial=007)
}
Mark -- Please correct me if this use of a nested multivalued RDN
is not correct.
Yes, I believe it is possible that an RDN component may be an attribute
with DN syntax, i.e. roleOccupant or seeAlso. [What PEMs support this,
though?]
I'm also more than a little confused about the
syntax that is used to indicate an organizational role, since an
organizationalRole is an object class, not an attribute.
There is no DN syntax for this.
Distinguished Names do not indicate what the object class is of the
object which they're naming. Without a Directory system, it's not
really possible to tell. User Agents tend to guess based on the
RDN: countryName attribute implies country, organizationName implies
organization. However, the object classes person, organizationalRole,
groupOfNames, applicationProcess, applicationEntity, and device are all named
by the commonName attribute in X.521(93) Section 3.
I don't understand how an organizationalRole would be indicated
if there is no role occupant, because a common name is used to
indicate the role. How would you tell the difference between a
person's name and a role name?
X.521 does not require that an organizationalRole have a roleOccupant.
If you're not using a Directory, you _could_ throw the objectClass into the
RDN as well, but it would soon become an unworkable mess.
-------------------------------------
Mark Wahl; M(_dot_)Wahl(_at_)isode(_dot_)com; ISODE Consortium