[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Microsoft and multi-valued RDNs (was: draft minutes)

To: <RWEISER@xxxxxxxxxxxx>, Michael Ströder <michael@xxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Microsoft and multi-valued RDNs (was: draft minutes)
From: "Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Jul 2003 13:40:28 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcNSD0pI+DlWqC6KReOcJxBURQHrkAAAUyuQ
Thread-topic: Microsoft and multi-valued RDNs (was: draft minutes)

Yes there is a difference between a DN with multiple RDNs which is what you depict and an individual RDN having multiple values. Most commonly used applications like SSL and SMIME don't use the DN but used other name types such as DNS or email so the presence of multi-valued RDNs is benign. 

IE is a case in point where it only processes a single value (the common name) from the DN and only then if there is no DNS name in the subject alt name. Therefore I can readily believe in that case, no problem was found when testing with multi-valued RDN's.

The scope for applications not doing the right thing in the presence of a multi-valued RDN is pretty big. Fore example, there is a large body of applications who extract subsets of data from the DN such as only using the common name in UI which will ignore subsequent values of the RDN. Therefore Microsoft's lack of support for multi-valued RDN with AD is the tip of the iceberg and anyone insisting on using them will have a lot of regression testing to perform. This is why typically the more pragmatic solution is to simply append some data to the sting used for the common name to make the CN unique.

Trevor

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of RWEISER@xxxxxxxxxxxx
Sent: Thursday, July 24, 2003 9:15 AM
To: Michael Ströder; ietf-pkix@xxxxxxx
Subject: Re: Microsoft and multi-valued RDNs (was: draft minutes)

Stephen Kent,
DST has been useing a multivalued RDN in EndEntity certificates for a number
of PKIs and since 1999 when we started issuing certificates.  We only do
this for End Entities not servers.  Basically the certificate SubDN looks
like the following.

0.9.2342.19200300.100.1.1 = D01E473E000000F58FE3DDDC00000709,E =
rweiser@xxxxxxxxxxxx, CN = Russel F Weiser,O = TrustID personal
certificate,C = US

We have used this with numerous and integrated with many applications.
So is the issue that microsoft Active Directory will not support multivalued
RDNs  or that there Applications don't ?? I'm just trying to understand the
issue more clearly.

----- Original Message ----- 
From: "Michael Ströder" <michael@xxxxxxxxxxxx>
To: <ietf-pkix@xxxxxxx>
Sent: Thursday, July 24, 2003 3:47 AM
Subject: Microsoft and multi-valued RDNs (was: draft minutes)

>
> Stephen Kent wrote:
> >
> > LDAP Documents:
>  > [..]
> > Biggest issue on the table for the schema document is that
> > Microsoft says it will not support multi-valued attributes (e.g., a
> > terminal RDN that is a set consisting of a common name and a serial
> > number).
>
> Could someone please elaborate on this?
>
> One of my customers is planning to use exactly this naming scheme with
> multi-valued RDNs in a rather large PKI deployment and so we're scared
about
> interoperability issues.
>
> Ciao, Michael.
>
>

Prev by Date: Re: Microsoft and multi-valued RDNs
Next by Date: Re: Microsoft and multi-valued RDNs
Previous by thread: Re: Microsoft and multi-valued RDNs (was: draft minutes)
Next by thread: RE: Microsoft and multi-valued RDNs (was: draft minutes)
Index(es):
- Date
- Thread