[Freeipa-devel] [freeipa PR#228][comment] cert-request: allow directoryName in SAN extension

Tue Nov 29 13:48:40 UTC 2016

  URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension

jcholast commented:
"""
Ok,

> Why do you see a relationship between the subject DN of a X.509 and the directoryName general name in SAN X.509v3 extension?

According to RFC 5280 section 4.1.2.6 the subject DN and SANs are equivallent in terms of identifying the subject entity:
> The subject field identifies the entity associated with the public
> key stored in the subject public key field.  The subject name MAY be
> carried in the subject field and/or the subjectAltName extension.

Compare how the subject DN is defined in RFC 5280 section 4.1.2.6:
> Where it is non-empty, the subject field MUST contain an X.500
> distinguished name (DN).  The DN MUST be unique for each subject
> entity certified by the one CA as defined by the issuer field.  A CA
> MAY issue more than one certificate with the same DN to the same
> subject entity.

... with how the DN SAN is defined in RFC 5280 section 4.2.1.6:
> When the subjectAltName extension contains a DN in the directoryName,
> the encoding rules are the same as those specified for the issuer
> field in Section 4.1.2.4.  The DN MUST be unique for each subject
> entity certified by the one CA as defined by the issuer field.  A CA
> MAY issue more than one certificate with the same DN to the same
> subject entity.

See that there is no mention of any semantical difference between them as means of identifying the subject entity.

Further specifications such as the name constraints extension also treat them equally. RFC 5280 section 4.2.1.10:
> Restrictions of the form directoryName MUST be applied to the subject
> field in the certificate (when the certificate includes a non-empty
> subject field) and to any names of type directoryName in the
> subjectAltName extension.

> The subject follows different rules, e.g. a disjunct set of RDN attributes.

I could not find any mention of this in RFC 5280 nor the X.500 series of standards. I'm assuming it's because it's not there.

> Attributes like DC, UID etc. are not commonly found in a X.509 cert's subject.

Neither RFC 5280 nor the X.500 series of standards impose any restrictions on the attributes used. However, RFC 5280 section 4.1.2.4 says:
> In addition, **implementations of this specification MUST be prepared**
> **to receive the domainComponent attribute**, as defined in [RFC4519].

> With multiple SubCAs (e.g. for VPN, client cert auth, host certs) we end up with different subject DNs but with the same directoryName GN SAN entry.

Currently we in fact end up with the same subject DN. Which is just fine, as they refer to the same subject entity.

> The directoryName is designed to hold a LDAP DN.

I don't think that's true, as there is no mention of this in the directoryName SAN specification (see above).

> A certificate's Subject DN is not really a distinguishing name in the sense of a unique identifier.

Let me quote RFC 5280 section 4.1.2.6 again:
> Where it is non-empty, the subject field MUST contain an X.500
> distinguished name (DN).  **The DN MUST be unique for each subject**
> **entity certified by the one CA as defined by the issuer field**.  A CA
> MAY issue more than one certificate with the same DN to the same
> subject entity.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/228#issuecomment-263574255