You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Aug 15, 2025. It is now read-only.
Copy file name to clipboardExpand all lines: docs/Protocol Specifications/core.md
+8-4Lines changed: 8 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -165,7 +165,8 @@ host.
165
165
polyproto servers can be hosted under a domain name different from the domain name
166
166
appearing on ID-Certs managed by that server **if all the following conditions are met:**
167
167
168
-
1. Define the "*visible domain name*" as the domain name visible on an ID-Cert.
168
+
1. Define the "*visible domain name*" as the domain name described by the [polyproto distinguished name](#6111-polyproto-distinguished-name-pdn)
169
+
of the "issuer" field on an ID-Cert.
169
170
2. Define the "*actual domain name*" as the domain name where the polyproto server is actually hosted
170
171
under.
171
172
3. The *visible domain name***must** have a URI `[visible domain name]/.well-known/polyproto-core`,
@@ -1035,7 +1036,7 @@ client.
1035
1036
An ID-CSR includes the following information, according to the X.509 standard:
1036
1037
1037
1038
- The public identity key of the client.
1038
-
- A polyproto Distinguished Name (`pDN`) "subject name", describing the actor the certificate is
1039
+
- A polyproto Distinguished Name (`pDN`) "subject", describing the actor the certificate is
1039
1040
issued to. The `pDN` must be formatted according to [Section 6.1.1.1](#6111-polyproto-distinguished-name-pdn).
1040
1041
- The signature algorithm used to sign the certificate.
1041
1042
- The signature of the certificate, generated by using the entities' private identity key.
@@ -1082,14 +1083,17 @@ ID-Certs have the following structure:
1082
1083
| The session ID of the client. | No two valid certificates for one session ID can exist. Session IDs have to be unique per actor. | Subject Unique Identifier |
1083
1084
| Extensions |[Extensions and Constraints](#6112-extensions-and-constraints)| Extensions |
1084
1085
1086
+
The domain components (`dc`) in the "issuer" and "subject" fields must be equal and in the same order.
1087
+
A certificate may not be treated as valid otherwise. X.509 semantics describing the correct ordering
1088
+
of domain components apply.
1089
+
1085
1090
##### 6.1.1.1 polyproto Distinguished Name (`pDN`)
1086
1091
1087
1092
polyproto Distinguished Names (`pDNs`) are a subset of an X.509 certificate's [distinguished
1088
1093
Names (`DNs`)](https://ldap.com/ldap-dns-and-rdns/), defined by the LDAP Data Interchange Format (LDIF).
1089
1094
The `DN` is a sequence of [relative distinguished names (`RDNs`)](https://ldap.com/ldap-dns-and-rdns/).
1090
1095
1091
-
The identity descriptor must be unique for each certificate issued by a home server. A `pDN`
1092
-
must meet all the following requirements:
1096
+
A `pDN` must meet all the following requirements:
1093
1097
1094
1098
- If the `pDN` describes an actor, it must have a "common name" attribute. The
1095
1099
common name must be the [local name](#5-federation-ids-fids) of the actor. In the case of an actor
0 commit comments