Op 9 jul. 2014, om 02:33 heeft Jeffrey Walton <noloa...@gmail.com> het volgende geschreven:
> On Tue, Jul 8, 2014 at 7:00 PM, Dave Thompson <dthomp...@prinpay.com> wrote: >>> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton >>> Sent: Tuesday, July 08, 2014 16:20 >> ... >>> Not sure if this is any consolation, but countryName is a >>> DirectoryString, and PrintableString is OK per RFC 5280 >>> (http://tools.ietf.org/html/rfc5280#section-4.1.2.6): >> >> Actually it's not. 4.1.2.4 Issuer says Name.RDN.AVA values are >> 'generally' DirectoryString, but see appendix A on p115: >> countryName is PrintableString size(2), presumably because its >> allowed values are from ISO 3166 which in turn uses ASCII letters. > So countryName is not PrintableString? Slightly off topic - we did encounter a situation not very long ago where an attempt was made to evade specific firewall rules on a DN by having one of the RDNs (from memory it was the CN) not be the usual UTF8String(0xC) but an IA5String(0x16) - while relying on the app-side infrastructure to match them at application/java compareTo(). Dw.