[Python-Dev] frozenset C API? (original) (raw)

Bill Janssen janssen at parc.com
Wed Sep 5 00:21:10 CEST 2007

> X.509 DNs are sets of X.500 attributes, and X.500 > attributes may be either single-valued or multiple-valued.

Conceptually perhaps (although I doubt that).

I got that from David Chadwick's book at http://sec.cs.kent.ac.uk/x500book/.

``An attribute comprises an attribute type and one or more attribute values.''

The question is, how would a multiple-valued attribute be represented in a certificate Name? I'm presuming it would appear as multiple attributes with the same "type", but different values.

Conceptually, it should be a list (order is relevant). It can then be debated whether the RDN can be represented as a dictionary; my understanding is that the intention of RDNs is that the AttributeType is unique within an RDN (but I may be wrong).

Name ::= CHOICE { RDNSequence }

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET OF AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type AttributeType, value AttributeValue }

Order is important in the directory tree, but not (I think) in the DN; that name is just an unordered set of attributes, because the hierarchy information has already been lost (the RDN elements cannot be distinguished from each other using only the internal certificate information).

In any case, it certainly sounds to me as if there can be multiple instances of AttributeTypeAndValue with the same "type" field in a single Name. So I'll represent them as tuples, which will preserve the order in which they occur in the certificate, and make the value immutable. Applications which need them as sets can create their own frozensets from that tuple.

Bill

More information about the Python-Dev mailing list