[Python-Dev] frozenset C API?
Bill Janssen
janssen at parc.com
Wed Sep 5 00:21:10 CEST 2007
> > X.509 DNs are sets of X.500 attributes, and X.500
> > attributes may be either single-valued or multiple-valued.
>
> Conceptually perhaps (although I doubt that).
I got that from David Chadwick's book at http://sec.cs.kent.ac.uk/x500book/.
``An attribute comprises an attribute type and one or more attribute values.''
The question is, how would a multiple-valued attribute be represented
in a certificate Name? I'm presuming it would appear as multiple
attributes with the same "type", but different values.
> Conceptually, it should be a list (order *is* relevant). It can
> then be debated whether the RDN can be represented as a dictionary;
> my understanding is that the intention of RDNs is that the AttributeType
> is unique within an RDN (but I may be wrong).
> Name ::= CHOICE { RDNSequence }
>
> RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
>
> RelativeDistinguishedName ::=
> SET OF AttributeTypeAndValue
>
> AttributeTypeAndValue ::= SEQUENCE {
> type AttributeType,
> value AttributeValue }
Order is important in the directory tree, but not (I think) in the DN;
that name is just an unordered set of attributes, because the
hierarchy information has already been lost (the RDN elements cannot
be distinguished from each other using only the internal certificate
information).
In any case, it certainly sounds to me as if there can be multiple
instances of AttributeTypeAndValue with the same "type" field in a
single Name. So I'll represent them as tuples, which will preserve
the order in which they occur in the certificate, and make the value
immutable. Applications which need them as sets can create their
own frozensets from that tuple.
Bill
More information about the Python-Dev
mailing list