[Python-Dev] frozenset C API?

"Martin v. Löwis" martin at v.loewis.de
Wed Sep 5 07:25:12 CEST 2007

>>> X.509 DNs are sets of X.500 attributes, and X.500
>>> attributes may be either single-valued or multiple-valued.
>> Conceptually perhaps (although I doubt that).
> I got that from David Chadwick's book at http://sec.cs.kent.ac.uk/x500book/.
> ``An attribute comprises an attribute type and one or more attribute values.''

Ah, ok. But then, the DN is not a *set* of such attributes, but a

> The question is, how would a multiple-valued attribute be represented
> in a certificate Name?  I'm presuming it would appear as multiple
> attributes with the same "type", but different values.

Within a single RelativeDistinguishedName, yes.

> Order is important in the directory tree, but not (I think) in the DN;
> that name is just an unordered set of attributes, because the
> hierarchy information has already been lost (the RDN elements cannot
> be distinguished from each other using only the internal certificate
> information).

Hmm. The directory tree only exists through the order in the DN.
E.g from


"The X.500 namespace is hierarchical. An entry is unambiguously
identified by a distinguished name (DN). A distinguished name is the
concatenation of selected attributes from each entry, called the
relative distinguished name (RDN), in the tree along a path leading from
the root down to the named entry."

If the RDNs within a DN would not be ordered, you would not get
a hierarchical tree, and you could not identify entries unambiguously.

> In any case, it certainly sounds to me as if there can be multiple
> instances of AttributeTypeAndValue with the same "type" field in a
> single Name.  So I'll represent them as tuples, which will preserve
> the order in which they occur in the certificate, and make the value
> immutable.

Ok. I think this will still not support multi-valued RDNs properly, but
those are uncommon in PKI.


More information about the Python-Dev mailing list