Chris Ridd wrote:
>
> On Fri, 05 Nov 1999 13:06:42 GMT, Dr Stephen Henson wrote:
> > Chris Ridd wrote:
> > > We'd also potentially run into the problem with some vendors assuming
> > > that T.61 doesn't actually mean T.61, it means ISO-8859-1. So
> > > converting these bogus "T.61" values would produce UTF-8 with bogus
> > > characters.
> > >
> >
> > Thats generally the problem with T61. The whole mess if descibed in
> > Peter Gutmann's X509 style guide. Whatever we do its likely to be
> > incompatible with some vendors implementation.
> >
> > We could follow the advice there and treat it as ISO-8859-1 and possibly
> > additionally complain loudly if it sees any shifting or escape codes
> > present or optionally use the hex encoding. Getting a specification for
> > this might be the hardest part.
>
> Treating it as 8859-1 is just plain wrong, and would penalise vendors
> who bothered implementing the standards correctly (such as ourselves,
> as it happens.)
>
Which specific standards are you following?
Anyway "traditional" SSLeay (and OpenSSL because the code hasn't been
revised in any official releases yet) did this for any DN field:
1. If it fits in a printable string then do so otherwise...
2. If no MSB is set then use an IA5String otherwise...
3. Use a T61String.
4. Hack up and modify the string type at an application level... this
generally just meant changing commmonName to a T61 if it was IA5 or
emailAddress to be always IA5.
Note that the "it" referred to is whatever fgets() returns on the
platform in question...
Yes this is plain wrong as well :-(
> > [Anyone know if Netscape/MSIE handles shifts and escaping with T61 BTW?]
>
> I think they treat it as 8859-1.
>
That's what I thought. This causes the problem that just fixing things
by doing it "right": it will cause incompatability with NS/MSIE and
previous versions of OpenSSL/SSLeay.
So I'd guess there should at least be a "compatability" flag in there.
> > If a vendor wants to handle things properly then they should be using
> > BMPStrings anyway. Netscape in this regard doesn't because it crashes on
> > BMPStrings and UTF8Strings.
>
> Oh, wonderful.
>
Yeah great isn't it?
Thats yet another headache. If you do the right thing and use BMPStrings
then anyone using MS software and (say) signing a newsgroup or maling
list message will crash anyone using Netscape messenger.
I've been told that a fix is not imminent.
MS software BTW doesn't currently display UTF8Strings AFAIK but doesn't
crash it seems to handle BMPStrings OK.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
