On 10/31/2012 09:22 AM, Daniel Kahn Gillmor wrote: > * The problem with canonicalization is the subjectName/issuerName DN > should be canonicalized, but this isnt always implemented. In this > case the PrintableString doesnt match the UTF8String. If this is the > only problem with the chain reported, then there is a bug.
I don't really understand what the author means here about canonicalization of a DN (canonicalization is not a PKIX term), but most probably he means about the caseIgnoreMatch string comparison algorithm of RFC5280. This is utter idiocy that we are not going to support in GnuTLS. The Distinguished name of a certificate isn't copied by a secretary which may enter an extra space or transform a capital letter to lower case. A certificate's DN is copied by software which does not introduce these errors. The only issues we had with our opaque comparison is on case where these errors were deliberately inserted for testing, real world certificates do not have any issue. I really don't know what the PKIX authors were thinking when adopting this string comparison algorithm from the time of telex. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
