i just created a few client certificates using openssl, e.g. one which contains the three characters `'� in the DN, the third of which is beyond ASCII. openssl just turns it into a T61STRING with the � encoded as \xB4 which is wrong (\xB4 is the multiplication sign in T.61).
openssl has this to say about it: <quote src="http://www.openssl.org/docs/apps/req.html";> BUGS OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively treats them as ISO-8859-1 (Latin 1), Netscape and MSIE have similar behaviour. This can cause problems if you need characters that aren't available in PrintableStrings and you don't want to or can't use BMPStrings. As a consequence of the T61String handling the only correct way to represent accented characters in OpenSSL is to use a BMPString: unfortunately Netscape currently chokes on these. If you have to use accented characters with Netscape and MSIE then you currently need to use the invalid T61String form. </quote> openssl refers to netscape thrice. is the same true for mozilla? from mozilla's point of view, what is the best way to encode characters outside the ASCII range? (i'm speaking of client certificate contents, of course.) rj
