Re: [Ejbca-develop] LDAP DN order is wrong

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Tomas Gustavsson wrote:
> Of course EJBCA is not caring about the string representation of DNs,

Not true! (not meant as offense)

If you accept an input field or config file value with a DN (like EJBCA does
in various places) you're definitely in the business of dealing with string
representation of DNs!

Let's pick an example from your docs:

http://www.ejbca.org/docs/userguide.html#Name%20Constraints

C=SE,O=Company
    Matches against the beginning of the Subject DN. The certificates must
    not use LDAP DN order, which is enabled by default!

Can you see the confusion introduced?

> Anyhow, to summarize your suggestion it is to "uncheck" the checkbox by 
> default, and remove the option.

Yepp.

> Providing only one possible asn.1 
> encoding, which in your view is the correct one?

You simply have to preserve the RDNSequence order in whatever data structure
you keep or convert the DN at a given time. ;-)

Ciao, Michael.