[Python-Dev] frozenset C API?
"Martin v. Löwis"
martin at v.loewis.de
Wed Sep 5 07:25:12 CEST 2007
>>> X.509 DNs are sets of X.500 attributes, and X.500
>>> attributes may be either single-valued or multiple-valued.
>> Conceptually perhaps (although I doubt that).
> I got that from David Chadwick's book at http://sec.cs.kent.ac.uk/x500book/.
> ``An attribute comprises an attribute type and one or more attribute values.''
Ah, ok. But then, the DN is not a *set* of such attributes, but a
> The question is, how would a multiple-valued attribute be represented
> in a certificate Name? I'm presuming it would appear as multiple
> attributes with the same "type", but different values.
Within a single RelativeDistinguishedName, yes.
> Order is important in the directory tree, but not (I think) in the DN;
> that name is just an unordered set of attributes, because the
> hierarchy information has already been lost (the RDN elements cannot
> be distinguished from each other using only the internal certificate
Hmm. The directory tree only exists through the order in the DN.
"The X.500 namespace is hierarchical. An entry is unambiguously
identified by a distinguished name (DN). A distinguished name is the
concatenation of selected attributes from each entry, called the
relative distinguished name (RDN), in the tree along a path leading from
the root down to the named entry."
If the RDNs within a DN would not be ordered, you would not get
a hierarchical tree, and you could not identify entries unambiguously.
> In any case, it certainly sounds to me as if there can be multiple
> instances of AttributeTypeAndValue with the same "type" field in a
> single Name. So I'll represent them as tuples, which will preserve
> the order in which they occur in the certificate, and make the value
Ok. I think this will still not support multi-valued RDNs properly, but
those are uncommon in PKI.
More information about the Python-Dev