On 27/07/14 14:30, Stephen Henson via RT wrote:
On Mon Jul 21 20:29:47 2014, v...@v13.gr wrote:
I'm not sure whether this change is needed at all as there's no
justification for it.
The justification is in RFC3280 et al:
"The UTF8String encoding [RFC 2279] is the preferred encoding, and all
certificates issued after December 31, 2003 MUST use the UTF8String
encoding of DirectoryString (except as noted below)."
Steve, that requirement was removed when RFC5280 obsoleted RFC3280.
RFC5280 Section 1 says:
"This specification obsoletes [RFC3280]. Differences from RFC 3280
are summarized below:
...
* Sections 4.1.2.4 and 4.1.2.6 incorporate the conditions for
continued use of legacy text encoding schemes that were
specified in [RFC4630]. Where in use by an established PKI,
transition to UTF8String could cause denial of service based on
name chaining failures or incorrect processing of name
constraints."
And Section 4.2.1.4 says that PrintableString and UTF8String are now
equally preferred.
Which of these RFCs does OpenSSL (cl)aim to be compliant with?
So in that sense OpenSSL was a bit behind the times. The configuration files
were set to use UTF8 only well before then but not the default in the source.
The bug is in any software which relies on the DirectoryString being a
PrintableString and not in OpenSSL.
Steve.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
