[glue-wg] DN format anomaly

Paul Millar paul.millar at desy.de
Fri Feb 8 10:18:13 EST 2013 

Hi all,

On 01/31/2013 05:55 PM, stephen.burke at stfc.ac.uk wrote:
> JP Navarro [mailto:navarro at mcs.anl.gov] said:
>> It would appear there is no RFC.  We have a choice to make on
>> whether to change GLUE 2 to be compliant with an RFC, or keep
>> things the way they are to be compatible with an old de-facto
>> standard.  Both option have impacts of different sorts.
>
> With our current middleware I think it doesn't make sense to use
> anything other than the openssl format in GLUE, it would mean having
> format converters in both directions which would be highly
> error-prone, there are lots of subtleties. You could argue that the
> entire middleware should change, but I think that would be about as
> likely as the UK changing to driving on the right!

Actually, I disagree.

GLUE-2 is a standard, or is meant to be one.  If it says "use this 
format" then that format must be defined in precise language, or we 
point to where it is defined.

Yet here we have a problem.  The OpenSSL/Globus format simple isn't 
defined.  There's some incomplete, partial definitions out there.  It 
has ambiguous, with the potential for different software resolving these 
ambiguities in different ways.  The format isn't even constant, but has 
evolved over the lifetime of the OpenSSL library.

... and you want to base a standard on this?

OK, so you do.  Since there's no document, we would need to write down 
precisely what we mean by OpenSSL-DNs, for example as Appendix C in the 
document.  Next we would try to insist that all software adopts our 
definition of a (ASCII? UTF-8?) DN representation.  My bet is on the 
software ignoring Appendix C in favour of what the OpenSSL library 
happens to do (this release of the library, anyway), what Globus 
libraries do, what CANL does, what ...

... yup, so this also doesn't work.

So, what can we do?

Adopt a standardised format, say, one published as an RFC.

Yes, this means that publishing DNs will be a bit of pain, but probably 
not *that* much of a pain, since libraries exist for representing DNs in 
standard formats.  (That's why standards are good! ;-)

That we've been doing it wrong for a long time doesn't mean it becomes 
right; and GLUE 2 is an excellent opportunity to fix such mistakes.

As usual, just my 2c worth,

Paul.

More information about the glue-wg mailing list