I have come across two different ways of encoding multiple OUs. One is to list the multiple OUs at the same level as other identifier, such as
SEQUENCE {
SET {
SEQUENCE {
OBJECT IDENTIFIER commonName (2 5 4 3)
PrintableString 'tester'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
UTF8String 'department1'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
UTF8String 'org1'
}
}
}
Another is to embed the OUs as a list as follow
SEQUENCE {
SET {
SEQUENCE {
OBJECT IDENTIFIER commonName (2 5 4 3)
PrintableString 'tester'
}
}
SET {
SEQUENCE {
OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
PrintableString 'department1'
}
SEQUENCE {
OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
PrintableString 'org1'
}
}
}
And some tools would decode the 2nd encoding as 1 OU only, representing it as follow
organizationalUnitName = department1 + organizationalUnitName = org1
I am just wondering which way is the better, or more common way to encode multiple OUs.
In first encoding (SET nests only one SEQUENCE), RDN attributes are printed/decoded in exact order as they are encoded:
In second example (SET nests multiple SEQUENCEs), RDN attributes inside single SET can be reordered and may result in two paths:
And these two paths are not same. This is because SET is an unordered list and application is free to order them as they need/want. Therefore, I would recommend to use first encoding, i.e. only one SEQUENCE inside SET. This guarantees that X.500 name results in same path in all conforming implementations.
p.s. I just tested this with Microsoft implementation of X.500 decoder. It doesn't re-ordrer multiple SEQUENCEs inside SET and decodes in exact order as RDNs are encoded, i.e.
OU=org1, OU=department1, CN=tester
p.p.s. keep in mind that RDNs shall be encoded from tree root down to leaf node. Your encoding is opposite and may lead to undesired string.