Cryptography Reference
In-Depth Information
Table 5-2:
An Expanded X.509 Distinguished Name
TWO-LETTER CODE
LONG NAME
VALUE
CN
Common Name
Joshua Davies
OU
Organizational Unit
Architecture
O
Organization
Travelocity
L
Locality, usually a city name
Southlake
ST
State
Texas
C
Country
USA
As you can see, this identifi es, fairly uniquely, an individual person. In the
case of an X.509 certifi cate, a distinguished name is used to identify the issuer.
Here's an example issuer name:
CN = VeriSign Class 3 Extended Validation SSL SGC CA,
OU = Terms of use at https://www.verisign.com/rpa (c)06,
OU = VeriSign Trust Network, O = VeriSign, Inc., C = US
This is the issuer string on the certifi cate that identifi es the
Travelocity
.com
web site at the time of this writing. As you can see, the
CN
(
common name
)
doesn't actually identify a person; it identifi es an entity. The
OU
fi eld appears
twice and is used to transmit data not actually related to the organizational
unit. However, it identifi es an issuer well enough for the receiver to decide if it
wants to trust it or not. However, see the discussion later in this chapter about
the
issuerUniqueId
fi eld for more on this topic.
You can see this yourself. As way of example, follow these steps:
In FireFox:
1. Navigate to a secure page.
2. Double-click the lock icon, and click the View button. The Issued By sec-
tion details the contents of the “issuer” fi eld in the X.509 certifi cate that
the server presented to negotiate the secure connection in the fi rst place.
Using Microsoft's Internet Explorer 8:
1. Navigate to a secure page.
2. Click the lock icon on the URL bar, select View Certifi cates. The Certifi cate
dialog appears as shown in Figure 5-3.
3. Click the Details tab, and click Issuer.
One thing you may notice about the two distinguished name examples I've
given is that not every fi eld appears in each distinguished name because at
least some of them are optional. In fact, technically speaking, all of them are
optional. If you look at the declaration of the
Name
type, which
issuer
is, you
see that it's defi ned generically:
Search WWH ::
Custom Search