Dashboard > Identification and Authentication credentials > Home > Understanding OSI names
  Identification and Authentication credentials Log In   View a printable version of the current page.  
  Understanding OSI names
Added by Jose REMY, last edited by Jose REMY on Jul 10, 2007
Labels: 
(None)

Understanding OSI names

OSI stands for "Open Standards for Interconnection" from ISO / ITU
an OSI name is called a "Distinguished name" which is used in all OSI related technologies such as

  • Certificates (X509)
  • LDAP directories including Microsoft Active directory (X500)
  • Military and aeronautical messaging systems (X400)

A "Distinguished name" (DN) is a collection of one or more of the following components

  • CN Common name
  • OU Organisation Unit
  • O Organization
  • C Country
  • and many others like "givenname","sn surname","l location" ......

Example DN
DN: cn=My_full_name,ou=Related_Organisation_Unit,ou=other_related_unit,o=Company_name,c=country

or with the alternate DC scheme mostly used in directories.

DN:cn=My_full_name,ou=Related_Organisation_Unit,ou=other_related_unit,dc=example,c=com

Useful Information

If you want to participate in the openLDAP referral service (ldap://root.openldap.org) you MUST use the DC scheme and set appropriate SRV records in your DNS.

Common meanings of OU are as follows:

  • OU=Hosts
  • OU=People # users
  • OU=Services # Daemons

openOSI also uses in its naming scheme:

  • OU=VirtualHosts
  • OU=VirtualPeople # nicknames
  • OU=PKI # Certification authorities

In principle you are free to use what you want as DN components value, unless you request a certification authority to certify these values. That is unless you intend a public use of these names to participate in an Internet of trust (similarly to the dns - Domain name system).

You MUST use a "Distinguished name" to generate a certificate request, see fillingDN

For additional information check the various OSI X500 and RFC

Useful Information

There could be links between DNS and OSI naming scheme, especially when domain components are used for distinguished names. Some people stores DNS DB in an LDAP directory (like Microsoft optionally). Most people don't in order to keep loosely coupling between DNS and Directories. There is an interesting use of LDAP directories for certificates when storing these certificates and their revocation list (CRL) in the directories. Therefore you MAY imagine a scheme that facilitate directory searching for your certificate retrieval. That is unless you use a third part directory like openOSI (directory.opensosi.org). openOSI practice is to store your certificate in virtual OU unit according the openOSI naming scheme without relying on the distinguished name of the certificate. See certCheck, and CAcertsRetrieve

Site powered by a free Open Source Project / Non-profit License (more) of Confluence - the Enterprise wiki.
Learn more or evaluate Confluence for your organisation.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.4.2 Build:#703 Mar 12, 2007) - Bug/feature request - Contact Administrators