Hoyt,
Here's some of what is bothering me about the definitions of
distinguished names.
Apparently, there are three distinct senses for comparing or
normalizing distinguished names -- signature, matching and
presentation.
- For signatures, order is ignored within RDNs.
- For matching, both order within RDNs and some attributes of some
values, e.g. case or white space, are ignored. (What happens if an
attribute has a value of a type other than what's expected or what
happens if an undocumented attribute shows up is not specified.)
- For presentation, order and case are preserved.
These rules imply that {FN=STEPHEN, SN=CROCKER} and {SN=Crocker,
FN=Stephen} must be treated as referring to the same person and the CA
must not use these two versions for different people. Further, the
certificate storage and retrieval mechanisms must find both of these
when either form is used to query. The hashes of these two forms are
different, however. And for presentation, both the case and the order
must be preserved.
And everyone understand these rules, right?
Steve