[glue-wg] DN format anomaly
JP Navarro
navarro at mcs.anl.gov
Thu Jan 31 08:25:24 EST 2013
A security expert told me:
> RFC 4514 (previously RFC 2253) defines the only standard string
> representation for DNs that I'm aware of. Globus adopted an old OpenSSL
> DN string format which maybe could be called a de-facto standard at this
> point, but even OpenSSL supports it only for the sake of backward
> compatibility:
>
> http://www.openssl.org/support/faq.html#USER13
It would appear there is no RFC. We have a choice to make on whether to change GLUE 2 to be compliant with an RFC, or keep things the way they are to be compatible with an old de-facto standard. Both option have impacts of different sorts.
JP
On Jan 30, 2013, at 6:20 PM, stephen.burke at stfc.ac.uk wrote:
> Hi all,
>
> Paul Millar raised an issue about DNs. The schema has two attributes, IssuerCA and TrustedCA, with type DN_t, defined as:
>
> "Distinguished Name as defined by RFC 4514 (http://www.rfc-editor.org/rfc/rfc4514.txt). X.509 uses a X.500 namespace, represented as several Relative Domain-Names (RDNs) concatenated by forward-slashes. The final RDN is usually a single common name (CN), although multiple CNs are allowed."
>
> What I expect is the usual globus/openssl-style format like
>
> /C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B
>
> and that is indeed what's being published in EGI. The text of the definition above agrees with that. However, RFC 4514 is in fact the definition of LDAP DNs, which of course look like
>
> GLUE2DomainID=UKI-SOUTHGRID-BHAM-HEP,GLUE2GroupID=grid,o=glue
>
> i.e. comma-delimited and in the reverse order. The reference to RFC 4514 looks like a mistake to me - any thoughts?
>
> Stephen
>
> --
> Scanned by iCritical.
> _______________________________________________
> glue-wg mailing list
> glue-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/glue-wg
More information about the glue-wg
mailing list