[Python-Dev] frozenset C API? (original) (raw)

"Martin v. Löwis" martin at v.loewis.de
Wed Sep 5 07:25:12 CEST 2007

X.509 DNs are sets of X.500 attributes, and X.500 attributes may be either single-valued or multiple-valued. Conceptually perhaps (although I doubt that). I got that from David Chadwick's book at http://sec.cs.kent.ac.uk/x500book/. ``An attribute comprises an attribute type and one or more attribute values.''

Ah, ok. But then, the DN is not a set of such attributes, but a sequence.

The question is, how would a multiple-valued attribute be represented in a certificate Name? I'm presuming it would appear as multiple attributes with the same "type", but different values.

Within a single RelativeDistinguishedName, yes.

Order is important in the directory tree, but not (I think) in the DN; that name is just an unordered set of attributes, because the hierarchy information has already been lost (the RDN elements cannot be distinguished from each other using only the internal certificate information).

Hmm. The directory tree only exists through the order in the DN. E.g from

http://java.sun.com/products/jndi/tutorial/ldap/models/x500.html

"The X.500 namespace is hierarchical. An entry is unambiguously identified by a distinguished name (DN). A distinguished name is the concatenation of selected attributes from each entry, called the relative distinguished name (RDN), in the tree along a path leading from the root down to the named entry."

If the RDNs within a DN would not be ordered, you would not get a hierarchical tree, and you could not identify entries unambiguously.

In any case, it certainly sounds to me as if there can be multiple instances of AttributeTypeAndValue with the same "type" field in a single Name. So I'll represent them as tuples, which will preserve the order in which they occur in the certificate, and make the value immutable.

Ok. I think this will still not support multi-valued RDNs properly, but those are uncommon in PKI.

Regards, Martin

More information about the Python-Dev mailing list