Re: processing Name in certificate

[David.Boyce@xxxxxxxxxxxxxxxxxxx]

"Kwon, YongChul" writes:
>When converting Name(DN) in certificate to LDAP DN,
>
>What is the order of Name?

It's easy to see why you're confused, and you're certainly not alone
on this, as there are differing external orders of representation of
DNs around.

However, you need to know that the sequence of RDNs in the
certificate's ASN.1 encoding of Name is unambiguous; the Name
represents a path through a (putative) hierarchy, with the first
member of the sequence is the most significant, and the last the least
significant.

X.509 Certificates are defined (surprise!) by the X.509 standard,
which does not explicitly spell out the order, because it is defined
in X.501, referenced as normative by X.509, and hence further
definition would be redundant in X.509.  Since RFC 2459 (and other
profiles issued by the PKIX group) profiles the use of X.509
certificates, the X.501 definition applies there too in the absence of
any statement to the contrary.

Given that this internal ordering is well-defined, the issue becomes
one of external presentation and ensuring that whatever ordering you
use is mapped correctly onto the internal ASN.1 encoded order.

An LDAP DN string, defined by RFC 1779, is encoded in the reverse
order (least significant first), and passes across the LDAP protocol
in this order UNLESS it has been encoded in a certificate or some
similar object whose value is an binary ASN.1 encoding of a DN.


>if Name in certificate stored in order likes "C L ST O OU ...",
>
>Should it be converted in LDAP DN likes "...OU O ST L C"?

Yes.

>or just same order in RDN sequence?

No.

>or It's free for implementer?( I really don't want that. :-( )

No, it's well-defined.  Just confusing.

David.

david.boyce@messagingdirect.com