Re: RFC 3280 and multiple Organization (O) fields in DN

[Tom Gindin <tgindin@xxxxxxxxxx>]

        IMHO, this rule originated with X.400.  The name form containing 
C, O, OU, and CN is largely derived from the "Mnemonic O/R address" of 
CCITT (now ITU) X.400, although in that standard there was also a 
mandatory administrative domain name.  In that standard, C, O, and CN had 
to be single-valued, while OU could have up to four values (see the 
MTSUpperBounds ASN.1 module).
        I don't see anything in the directory standards proper (especially 
X.520 and X.521, where it would be expected) which is as clear as X.400 in 
forbidding multiple values of C and O while permitting them for OU.

                Tom Gindin





Stephen Kent <kent@xxxxxxx>
Sent by: owner-ietf-pkix@xxxxxxxxxxxx
12/22/2004 08:00 AM
 
        To:     Jostein Tveit <josteitv@xxxxxxxxxxx>
        cc:     ietf-pkix@xxxxxxx
        Subject:        Re: RFC 3280 and multiple Organization (O) fields 
in DN



At 12:47 PM +0100 12/22/04, Jostein Tveit wrote:
>Hello pkix list!
>
>I have a question regarding RFC 3280 and support for multiple
>Organization (O) fields in the DN field in a certificate.
>
>A can not see that the standard says anything explicit about
>this.
>Can someone please guide me to where I can find some information
>about this issue, or point out the section I missed in the RFC.
>
>Basically, is multiple Organization (O) fields allowed?
>And where is it stated/not stated?
>
>Thanks in advance for all answers.
>
>Regards,
>--
>Jostein Tveit <josteitv@xxxxxxxxxxx>

This is an X.500/X.520 question, more than an X.509/PKIX question.

However, my answer in that one would not expect to see multiple 
organization attributes in a DN, although multiple organizational 
unit attributes are fine.  It's a matter of the semantics of DNs and 
the interpretation of attributes.  Similarly, one would not expect to 
see multiple country attributes in a DN, in the usual interpretation 
of the DIT.

Steve