On Mon, Nov 29, 2004, Manfred Faulandt wrote: > Steve, > > Many thanks for the very competent answer. We noticed the UTF8 encoding > but thought about it as a "why not?" matter (and we didn't look into a > RFC neither). > > The CA is a Microsoft Shop and Internet Explorer is happy with the > certificates they issue. I'll check their site again for somthing like a > "name rollover" certificate but as far as I remember they offer nothing > - at least not yet - in this direction. > >
IE might be relying on the keyID in the certificate instead of the DNs: which is considered a bit naughty... As regards the comparison. It is possible to handle some of the simpler cases in OpenSSL such as BMP<->UTF8 and PrintableString<->UTF8. The evil case is T61<->UTF8 where the T61 is a "real" T61 and not ISO8859-1: it would be a huge amount of effort and might never be used. Before today I've only come across one example of a certificate outside contrived "compliant tests" that didn't pass a binary match. Now I've got two... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
