Paul, I'm having some trouble understanding you.
I agree that X.500 naming is potentially messy business. [Agreed!]
However,
if two dnames refer to the same object in a directory then I think
it is imperative that a PEM implementation recognize this equivalence
when accessing its locally stored certs and CRLs during message processing.
What do you really mean by this? In particular, what if a DN has an alias within
the directory that is more user friendly than a fully qualified DN that is
(arguably)
more appropriate for use within a certificate. E.g., C=US,O=IBM might be an
alias of C=US,O=International Business Machines Corp.
What is it that you are saying that the PEM UA should do?
More importantly, an issuer must take care that a requested subject name
does not refer to a distinct object when creating a certificate.
I hope there was a typo in here somewhere??? Are you trying to suggest that
a CA which is not operating under an X.500 directory should somehow be forced
to ensure that the DN in the certificate that it creates is not already in use
within
the directory? Other than by using name subordination and therefore name
qualification, how would you go about doing this?
Thus an implementation must be able to properly compare equivalent
dnames -- according to the X.500 rules.
Is this another version of the question raised by Peter Williams, as to what is
the necessary and sufficient relationship between the DN in the certificate and
the DN in the directory?
I agree that it would seem to be a good idea to canonicalize the names in the
same way, so that one doesn't contain redundant blanks. Removing trick
characters such as backspace or reverse line feed would be a good idea,
but not if it would interfere with non-English alphabets.
Do the X.500 and PEM rules differ significantly in this area?
Bob