[Python-Dev] frozenset C API? (original) (raw)

"Martin v. Löwis" martin at v.loewis.de
Wed Sep 5 18:05:27 CEST 2007

The hierarchy information does not appear to be preserved.

But it only appears so. OpenSSL does not know how to render it properly (hence I say it is not very common in PKI), but they started supporting that when generating certificates, with the -multivalue-rdn option for req, and if you do

openssl asn1parse -in ca1.crt

you see that they differ:

(ca1) l= 17 cons: SEQUENCE l= 10 prim: OBJECT :domainComponent l= 3 prim: IA5STRING :org l= 22 cons: SET l= 20 cons: SEQUENCE l= 10 prim: OBJECT :domainComponent l= 6 prim: IA5STRING :python l= 12 cons: SET l= 10 cons: SEQUENCE l= 3 prim: OBJECT :commonName l= 3 prim: PRINTABLESTRING :foo l= 12 cons: SET l= 10 cons: SEQUENCE l= 3 prim: OBJECT :commonName l= 3 prim: PRINTABLESTRING :bar

(ca2) l= 17 cons: SEQUENCE l= 10 prim: OBJECT :domainComponent l= 3 prim: IA5STRING :org l= 22 cons: SET l= 20 cons: SEQUENCE l= 10 prim: OBJECT :domainComponent l= 6 prim: IA5STRING :python l= 26 cons: SET l= 11 cons: SEQUENCE l= 3 prim: OBJECT :commonName l= 4 prim: PRINTABLESTRING :bar2 l= 11 cons: SEQUENCE l= 3 prim: OBJECT :commonName l= 4 prim: PRINTABLESTRING :foo2

In the first case, foo and bar are in different sets, in the second case, they are in the same set.

For people concerned about security, that makes a difference.

If OpenSSL actually supports that in its APIs, my proposal would be to make a multi-valued RDN a more-than-two-tuple, e.g.

(('DC','org'),('DC','python'),('CN','bar2','CN','foo2'))

That would make it possible to distinguish the names (pun intended), yet still don't produce structural overhead for the normal case of single-valued RDNs.

Regards, Martin

More information about the Python-Dev mailing list