Re: [FORGED] TeletexString

2018-07-06 Thread Peter Gutmann via dev-security-policy 
Peter Bowen via dev-security-policy  
writes:

>In reviewing a recent CA application, the question came up of what is allowed
>in a certificate in data encoded as "TeletexString" (which is also sometimes
>called T61String).

For the full story of T.61 strings, see the X.509 style guide,
https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt, it's a flat text
file but grep for "T.61/TeletexString" for the text that covers it.

Some further notes, at the time a lot of implementations just treated it as
8859-1 (which the guide mentions with the comment on assuming T.61 = latin-1),
which worked OK for most cases where it was used, e.g. umlauts and other
accented characters for European languages.  Also at one point a bunch of
people tried to identify any implementation that would display even something
as basic as umlauts via floating diacritics and were unable to find anything
that did it.

So for certlint I'd always warn for T61String with anything other than ASCII
(which century are they living in? Point them at UTF8 and tell them to come
back when they've implemented it), treat it as a probably 8859-1 string when
checking for validity, and report an error if they try anything like character
set switching and fancy escape sequences, which are pretty much guaranteed not
to work (i.e. display) properly.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

TeletexString

2018-07-06 Thread Peter Bowen via dev-security-policy 
In reviewing a recent CA application, the question came up of what is
allowed in a certificate in data encoded as "TeletexString" (which is
also sometimes called T61String).

Specifically, certlint will report an error if a TeletexString
contains any characters not in the "Teletex Primary Set of Graphic
Characters" unless the TeletexString contains an escape sequence. For
example, including 'ä', or 'ö' will trigger this error unless preceded
by an escape sequence.

In order to figure out what can be used, one need to reference X.690
Table 3, which notes that G0 is assumed to start with character set
102.  Character set 102 is defined at
https://www.itscj.ipsj.or.jp/iso-ir/102.pdf.  Note that 102 isn't the
same as ASCII nor is it i the same as the first part of Unicode.

I hope that this helps explain why these errors show in certlint.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy