On 2016-03-11 15:33, Jakob Bohm wrote:
On 11/03/2016 09:55, Kurt Roeckx wrote:
On 2016-03-11 01:14, Jakob Bohm wrote:
- Non-PrintableString/UTF8String in DNs. Workaround to be removed in
Bug #[TBD].
Does this also apply to "pure ASCII" fields such as country ("C=US")
etc.? Some of those were historically constrained to one of the
lesser ASN.1 string types.
I think C is only a PrintableString, while at least some Turkish CA has
that as an UTF8String. It would require at least a new intermediate CA.
I have encountered at least one in-the-wild certificate where one of
the pure ASCII name components was tagged as a T61STRING. This caused
problems when a broken crypto library silently converted this to
UTF8String, resulting in a DN with a different DER encoding than the DN
in the certificate it was supposed to match.
I have no idea what you are trying to say about "requiring at least a
new intermediate CA".
If you start to reject based on this, and it's the issuer name itself
has that problem, all the certificate it signs will be rejected.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy