[foaf-protocols] FOAF+SSL Distinguished Name

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Tue Feb 16 19:13:02 CET 2010 

Although there are historical links between LDAP and the distinguished 
names in X.509 certificates, I don't think we should use LDAP URIs this way.

What we get from a Subject DN is an X.500 name. It's a sequence of 
AttributeType-AttributeValue pairs, where the name is an OID for one of 
the fields (e.g. CommonName or Organization) and the value can be 
anything (depending on what the attribute type is).

<http://tools.ietf.org/html/rfc3280#appendix-A>

DistinguishedName ::=   RDNSequence

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

RelativeDistinguishedName  ::=
                     SET SIZE (1 .. MAX) OF AttributeTypeAndValue

AttributeType           ::=  OBJECT IDENTIFIER

AttributeValue          ::=  ANY

AttributeTypeAndValue           ::=     SEQUENCE {
         type    AttributeType,
         value   AttributeValue }



The serialisation of RDNSequence isn't that straightforward. Java has at 
least 3 ways of turning an X500Principal into a string, the default 
being RFC-2253 <http://tools.ietf.org/html/rfc2253>, see
<http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/x500/X500Principal.html#getName%28%29>

Some applications will use a completely different string representation 
of a DN. In particular, what's quite common in the Apache/OpenSSL 
environment is to use '/' as a separator and have the fields ordered the 
other way around, for example:

  /O=FOAF+SSL/UID=http://esw.w3.org/topic/foaf+ssl/CN=FOAF+SSL Version 1

whereas Java (using the RFC2253 format) would show:

  CN=FOAF+SSL Version 1,UID=http://esw.w3.org/topic/foaf+ssl,O=FOAF+SSL

The obvious problem is the use of slash as a separator which conflict 
with the URI's slash.



If you really want to model DNs in RDF, I guess you need to model the 
sequence, perhaps with blank nodes and OIDs (considering that some of 
the values may be binary blobs).


Best wishes,

Bruno.


Story Henry wrote:
> On 16 Feb 2010, at 17:18, Story Henry wrote:
>> :we a foaf:Agent;
> 
> 
> I am not sure what the correct ldap URL would be for the DN we propose, and indeed if it can be written out. 
> 
> From http://ftp.ics.uci.edu/pub/ietf/uri/rfc2255.txt
> and http://www.ietf.org/rfc/rfc1959.txt (which has some examples)
> I guess it could be something like (though the non compliant chars need to be escaped with %
> 
> <ldap:///o=FOAF+SSL,uid=http://esw.w3.org/topic/foaf+ssl,cn=FOAF+SSL Version 1>
> 
> If something like that is right, then we could write:
> 
> :we a foaf:Agent;
>     owl:sameAs <ldap:///o=FOAF+SSL,uid=http://esw.w3.org/topic/foaf+ssl,cn=FOAF+SSL Version 1> .
> 
> Henry
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols

More information about the foaf-protocols mailing list