A security expert told me:
RFC 4514 (previously RFC 2253) defines the only standard string representation for DNs that I'm aware of. Globus adopted an old OpenSSL DN string format which maybe could be called a de-facto standard at this point, but even OpenSSL supports it only for the sake of backward compatibility:
It would appear there is no RFC. We have a choice to make on whether to change GLUE 2 to be compliant with an RFC, or keep things the way they are to be compatible with an old de-facto standard. Both option have impacts of different sorts. JP On Jan 30, 2013, at 6:20 PM, stephen.burke@stfc.ac.uk wrote:
Hi all,
Paul Millar raised an issue about DNs. The schema has two attributes, IssuerCA and TrustedCA, with type DN_t, defined as:
"Distinguished Name as defined by RFC 4514 (http://www.rfc-editor.org/rfc/rfc4514.txt). X.509 uses a X.500 namespace, represented as several Relative Domain-Names (RDNs) concatenated by forward-slashes. The final RDN is usually a single common name (CN), although multiple CNs are allowed."
What I expect is the usual globus/openssl-style format like
/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA 2B
and that is indeed what's being published in EGI. The text of the definition above agrees with that. However, RFC 4514 is in fact the definition of LDAP DNs, which of course look like
GLUE2DomainID=UKI-SOUTHGRID-BHAM-HEP,GLUE2GroupID=grid,o=glue
i.e. comma-delimited and in the reverse order. The reference to RFC 4514 looks like a mistake to me - any thoughts?
Stephen
-- Scanned by iCritical. _______________________________________________ glue-wg mailing list glue-wg@ogf.org https://www.ogf.org/mailman/listinfo/glue-wg