On Tue, Jul 29, 2014, Kurt Roeckx wrote: > On Tue, Jul 29, 2014 at 10:56:14AM +0100, Rob Stradling wrote: > > On 27/07/14 14:30, Stephen Henson via RT wrote: > > >On Mon Jul 21 20:29:47 2014, v...@v13.gr wrote: > > >> > > >>I'm not sure whether this change is needed at all as there's no > > >>justification for it. > > > > > >The justification is in RFC3280 et al: > > > > > >"The UTF8String encoding [RFC 2279] is the preferred encoding, and all > > >certificates issued after December 31, 2003 MUST use the UTF8String > > >encoding of DirectoryString (except as noted below)." > > > > Steve, that requirement was removed when RFC5280 obsoleted RFC3280. RFC5280 > > Section 1 says: > > "This specification obsoletes [RFC3280]. Differences from RFC 3280 > > are summarized below: > > ... > > * Sections 4.1.2.4 and 4.1.2.6 incorporate the conditions for > > continued use of legacy text encoding schemes that were > > specified in [RFC4630]. Where in use by an established PKI, > > transition to UTF8String could cause denial of service based on > > name chaining failures or incorrect processing of name > > constraints." > > > > And Section 4.2.1.4 says that PrintableString and UTF8String are now equally > > preferred. > > > > Which of these RFCs does OpenSSL (cl)aim to be compliant with? > > I think 5280 makes more sense. If it can be written as a > PrintableString I have no problem with defaulting to a > PrintableString. We clearly only want to write either > UTF8String or PrintableString, at least by default. >
That logic was originally there to be compliant with RFC3280. My reading of RFC5280 is that using UTF8String only does not violate it as it doesn't require the use of PrintableString. We could change the mask to be PrintableString and UTF8String. You'd still have different behaviour though if the passed string doesn't fit in PrintableString (e.g. contains certain characters like @, &). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
