pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

dname rules (was: Re: PCA Policies)

1993-08-20 05:06:00
from [Stephen D Crocker] [Permanent Link] 
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-ID-Asymmetric: MFMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNRDE
 kMCIGA1UEChMbVHJ1c3RlZCBJbmZvcm1hdGlvbiBTeXN0ZW1zMREwDwYDVQQLEwh
 HbGVud29vZA==,03
MIC-Info: RSA-MD5,RSA,uavHdQMIjDiNyjQh4g8SY7o7N0IIzJby88SyIajHLvg
 heNH3nlJaNp/hQVWVPBdOU2vvocGhCB77IzLiOaX05uDlP/wxIWNSMWY3T2EItYN
 SPezWlpHjJPo1Y+x9bx7L

Bob, et al.

I've been reviewing the naming rules.  There's a few loose ends, so I
may have the details wrong, but here's my current understanding.

- - nested RDNs are not permitted in distinguished names.

- - A distinguished name (dname or DN) is a sequence of relative
  distinguished names (RDN).

- - An RDN is a sequence of AVAs.  (For comparison purposes, two RDNs are
  considered equivalent if the same set of AVAs occur, irrespective of
  order, and for this reason these are coded as "sets" in the ASN.1
  syntax, but unfortunately the original order must be preserved for
  presentation purposes.)

  RDNs are further restricted to have no more than one occurrence of
  any OID.

- - Each AVA is a pair consisting of an OID and a value.  The OIDs must
  be resgistered in advance, and associated with each OID is the
  expected type of the value, a further restriction on the set of
  legal values, e.g. printable characters only within values of type
  string, and a rule for matching that determines whether two values
  are considered equivalent.  Trimming of white space and/or ignoring
  case are common examples.  As with the order of AVAs within an RDN,
  the original value must be kept for presentation.  Thus "Stephen D.
  Crocker", "STEPHEN  D. CROCKER" and "stephen d.    crocker" are all
  equivalent if case and extra white space are ignored, but each must
  be retained if it occurs in a certificate.


These rules require some form of registration of OIDs before they're
used so everyone knows what values to expect and how to match them.
A consequence of these rules is that an Issuing Authority must treat
two DNs as equivalent if they match the same.  For example, if a CA
issues two certificates, one to "Stephen D. Crocker" and one to
"stephen d.   crocker", they are expected to refer to the same person.


Steve
-----END PRIVACY-ENHANCED MESSAGE-----
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: PCA Policies, jueneman%wotan
Next by Date:  Re: dname rules, jueneman%wotan
Previous by Thread:  Re: Re: PCA Policies, jueneman%wotan
Next by Thread:  Re: PCA Policies, Steve Kent
Indexes:  [Date] [Thread] [Top] [All Lists]