diff options
| author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2021-05-18 16:32:55 -0400 |
|---|---|---|
| committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2021-05-28 14:06:48 -0400 |
| commit | f2b207b3aebe298d99810235d97cb120853b051f (patch) | |
| tree | 9c3a972b106452f34d61a21554385bda5a634c8d /NEWS | |
| parent | d2c249054f9abc17352c7a8807de2d7ed847c212 (diff) | |
| download | gnutls-f2b207b3aebe298d99810235d97cb120853b051f.tar.gz | |
certtool: order DN components by scale.
DN components are expected to be ordered by scale, with the wire format
representing larger-scale components (like country or organization) before
smaller-scale components (like state or organizationalUnit).
The bulk of the changes here of course are changes to the target
certificates in the test suite.
Note that a change was necessary in tests/cert-tests/crq.sh because it
tests the "interactive" mode of certtool. If any user is scripting
certtool in this way, this change will cause a backwards-incompatible
break. However, I think this is OK -- the supported scripted/batch
mode for certtool should use a template file, and I don't think it's
important to maintain a strict api on the interactive mode.
The main change here is to order the DN from least-specific-to-most,
in particular:
country, state, locality, org, orgunit, cn, uid
But I've also made an additional arbitrary choice, which is that DC
(domain component) comes *after* uid. This was already the case in
certificate generation, but in *request* generation, it was the other
way around. I've changed request generation to match this ordering
from certificate generation.
Closes: #1243
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 7 |
1 files changed, 7 insertions, 0 deletions
@@ -26,6 +26,13 @@ See the end for copying conditions. GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now deprecated and will be removed in the future releases. +** certtool: When producing certificates and certificate requests, subject DN + components that are provided individually will now be ordered by + assumed scale (e.g. Country before State, Organization before + OrganizationalUnit). This change also affects the order in which + certtool prompts interactively. Please rely on the template + mechanism for automated use of certtool! (#1243) + ** API and ABI modifications: gnutls_early_cipher_get: Added gnutls_early_prf_hash_get: Added |