Multiple Organizational Units (OU) ASN.1 encoding differences

Question

I have come across two different ways of encoding multiple OUs. One is to list the multiple OUs at the same level as other identifier, such as

SEQUENCE {
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER commonName (2 5 4 3)
       PrintableString 'tester'
       }
     }
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
       UTF8String 'department1'
       }
     }
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
       UTF8String 'org1'
       }
     }
}

Another is to embed the OUs as a list as follow

SEQUENCE {
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER commonName (2 5 4 3)
       PrintableString 'tester'
       }
     }
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
       PrintableString 'department1'
       }
     SEQUENCE {
       OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
       PrintableString 'org1'
       }
     }
}

And some tools would decode the 2nd encoding as 1 OU only, representing it as follow

organizationalUnitName    = department1 + organizationalUnitName    = org1

I am just wondering which way is the better, or more common way to encode multiple OUs.

score 1 · Accepted Answer · answered Oct 14 '20 at 09:32

In first encoding (SET nests only one SEQUENCE), RDN attributes are printed/decoded in exact order as they are encoded:

OU=org1, OU=department1, CN=tester

In second example (SET nests multiple SEQUENCEs), RDN attributes inside single SET can be reordered and may result in two paths:

OU=org1, OU=department1, CN=tester
OU=department1, OU=org1, CN=tester

And these two paths are not same. This is because SET is an unordered list and application is free to order them as they need/want. Therefore, I would recommend to use first encoding, i.e. only one SEQUENCE inside SET. This guarantees that X.500 name results in same path in all conforming implementations.

p.s. I just tested this with Microsoft implementation of X.500 decoder. It doesn't re-ordrer multiple SEQUENCEs inside SET and decodes in exact order as RDNs are encoded, i.e. OU=org1, OU=department1, CN=tester

p.p.s. keep in mind that RDNs shall be encoded from tree root down to leaf node. Your encoding is opposite and may lead to undesired string.

Thanks for pointing it out in the p.p.s. So basically, there is no set rules on how to encode multiple OUs in a X.509 certificate except for the concerns that order of the OUs might not be as desired. — Iririki, Oct 16 '20 at 06:43
At least, I'm not aware of any such spec. I would stick with first option (one SEQUENCE inside SET) since it provides consistent result and is de-facto standard in Internet PKI, so is highly compatible. — Crypt32, Oct 16 '20 at 06:46

Multiple Organizational Units (OU) ASN.1 encoding differences

1 Answers1