Hi Florian,
I've reviewed the RFC again and think there might be some
misinterpretation. The only part I see about underscores reads:
Implementers should note that the at sign ('@') and underscore ('_')
characters are not supported by the ASN.1 type PrintableString.
These characters often appear in Internet addresses. Such addresses
MUST be encoded using an ASN.1 type that supports them. They are
usually encoded as IA5String in either the emailAddress attribute
within a distinguished name or the rfc822Name field of GeneralName.
Conforming implementations MUST NOT encode strings that include
either the at sign or underscore character as PrintableString.
RFC 5280 doesn't allow underscores for *PrintableString*, but DNSName is
an *IA5String*, which does support them.
Jason
On 08/04/2014 03:50 AM, Florian Weimer wrote:
On 08/02/2014 04:09 AM, Jason Uh wrote:
Hi Florian,
Thanks for your input. There was some discussion about the issue in the
past on this list:
http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006622.html
Do you disagree with the comments there?
I think the intent of RFC 5280 is *not* to allow "_" in dNSName.
However, other PKIX implementations (OpenSSL, NSS) do not seem to verify
dNSName syntax at all, so it might be necessary to drop the check for
interoperability reasons in OpenJDK, even if it makes OpenJDK less
compliant with RFC 5280.
