Re: order of name attributes in certificates, suggestion for 3280 bis

[Michael Ströder <michael@xxxxxxxxxxxx>]

Tom Gindin wrote:
> most RP's should and do either treat DN's as binary blobs 
> or convert them to character format and treat them as strings.

Well, but the "character format" should be clearly specified - IMO it's not.

Especially RFC3280bis should have a normative reference to the DN string
representation used for the example DNs in appendix C which defines:
- order
- character set
- defined RDN separator
- multi-valued RDNs

Semicolons as RDN separators like used in appendix C are today not
widely known to implementors and disallowed in LDAPv3 (see RFC 2253).
I'd think this needs clarification. Also character set of string
representation should be clearly specified (UTF-8 in RFC 2253).

=> use a normative reference to RFC 2253 (or its upcoming successor
draft-ietf-ldapbis-dn) and correct examples in appendix C accordingly.

>  It is also 
> common enough to verify one or two attributes in a DN, as S/MIME and 
> SSL/TLS support (although oddly the only real reference to TLS' common use 
> of validation I can find is in HTTPS - RFC 2818 section 3.1).  Does anyone 
> know of common protocols which verify the order of DN attributes?

Examples: Not really protocols but think of textual configuration files:
- containing certificate profiles or
- regular expressions mapping the subject DNs to a user identity
...

Ciao, Michael.