What follows is simply my opinion but I believe it to be correct:
The name must match the text the user entered when specifying the desired host.
As such there are multiple input forms which resolve to the same name. Instead of
using Common Name you should use subjectAltName and provide two entries; one
for each of the UTF8 representation and the ACE representation.
Jeffrey Altman
Gisle Vanem wrote:
How is the /CN= supposed to be encoded for a host/domain- name using international characters? In some specified charset (utf8?) or in the ASCII Compatible Encoded form?
I ask since in an application here (using libidn), I get the subject with X509_get_subject_name() and check the CN (or wildcard mask) against the host I connect to. If they don't match, that's an error.
E.g. if I connect to www.tromsų.no, it's registered in DNS as www.xn--troms-zua.no. Should the CN be the same also? Is it an error to match the CN against www.tromsų.no too? Guessing beeing liberal is okay...
BTW. is there any function in OpenSSL that can match e.g. "x*.foo.com" against "xxx.foo.com"?
IDNA = Internationalizing Domain Names in Applications, RFC-3490.
--gv
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
smime.p7s
Description: S/MIME Cryptographic Signature
