On Fri, 26 Mar 2004, Ian Stokes-Rees wrote:
> 2. DN vs. x509 certificate Subject. Is Email supposed to be mandatory?
If anything it should be mandatory *not* to have it, unless we want
even more spam! Certainly there's no requirement to have it in
general.
> I think my confusion is coming from not understanding the relationship
> between DNs and Subjects. Are Subjects just arbitrary strings, which by
> convention (if so, whose convention) use LDAP DNs?
DNs aren't tied to LDAP in particular, they were part of the ISO
networking standards which a decade or so ago were supposed to be the way
forward for everything, e.g. you also had email addresses in that form. In
practice everyone ignored it and used tcp/ip, so now DNs just survive in
odd corners. The Subject Name (SN) for a certificate is a DN, in effect
the unique name of whoever or whatever the certificate is issued to. Each
CA has a name space for which it can issue certificates. I don't think
there are any absolute rules for how the DNs are made up, just
conventions, but they have to be defined such that they end up unique,
i.e. they have to distinguish the things they name.
Stephen
|