What characters does RFC 5280 allow in the DN?

Question

I've been having a bit of trouble parsing a couple of corner cases of RFC 5280 (My ASN.1 isn't quite up to spec).

Firstly, is a lone comma allowed as part of a RDN field? Commas are common, i.e.

CN=Wingdings, Inc

but is a name like

CN=, valid?

Secondly, does the RFC allow empty field names, such as CN=?

Answer 1

The RFC says this (Section 4.1.2.4.)

   Name ::= CHOICE { -- only one possibility for now --
     rdnSequence  RDNSequence }

   RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

   RelativeDistinguishedName ::=
     SET SIZE (1..MAX) OF AttributeTypeAndValue

   AttributeTypeAndValue ::= SEQUENCE {
     type     AttributeType,
     value    AttributeValue }

   AttributeType ::= OBJECT IDENTIFIER

   AttributeValue ::= ANY -- DEFINED BY AttributeType

And then later (Appendix A)

-- Naming attributes of type X520CommonName

id-at-commonName        AttributeType ::= { id-at 3 }

-- Naming attributes of type X520CommonName:
--   X520CommonName ::= DirectoryName (SIZE (1..ub-common-name))
--
-- Expanded to avoid parameterized type:
X520CommonName ::= CHOICE {
      teletexString     TeletexString   (SIZE (1..ub-common-name)),
      printableString   PrintableString (SIZE (1..ub-common-name)),
      universalString   UniversalString (SIZE (1..ub-common-name)),
      utf8String        UTF8String      (SIZE (1..ub-common-name)),
      bmpString         BMPString       (SIZE (1..ub-common-name)) }

From this I deduce:

1. A CN value must have at least one character.

2. Just about any character is valid in a CN.

Therefore, "CN=" is not allowed, but "CN=," is allowed.

(Whether you would want to consider "," as an acceptable common name is a different issue, but at least it is not forbidden by the syntax rules.)

^{Caveat: the above is based on a cursory reading of the RFC and a bit of side-research as a sanity check. I'm not an X.500/520 or ASN.1 expert.}