Re: Additional issue on RFC 2253 usage in relation with XMLSig: On the capability of the RFC2253 "CN=Sam"encoding form for identifying a Certificate.

From: Sean Mullan <Sean.Mullan@Sun.COM> Date: Tue, 19 Jun 2007 17:15:19 -0400 To: Konrad Lanz <Konrad.Lanz@iaik.tugraz.at> Cc: public-xmlsec-maintwg@w3.org Message-id: <46784767.5030003@sun.com> · This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:22:00 GMT

Konrad Lanz wrote:
> Dear all,
> 
> I do not think that XMLDSig is the right place to perform DNAME
> constraining, canonicalization or comparison.
> Usually RFC 2253/4514 implementations will parse two string
> representations and rather use means as specified in RFC 4517 section 4
> to compare two values.
> 
> However I would agree giving input to the IETF as these specifications
> are located in their premises. Such input could essentially ask for a
> canonical string representation for DNAMEs.
> 
> That would be really nice and such a DNAME comparison could then be
> reduced to a simple string comparison. ;-)

FYI, we have defined one for Java:

http://java.sun.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String)

See the paragraph that start with "If "CANONICAL" is specified as the
format ..."

--Sean