[Date Prev][Date Next] [Chronological] [Thread] [Top]


> -----Original Message-----
> From: Norbert Klasen [mailto:norbert.klasen@daasi.de]

> --On 28 April 2002 23:00 -0700 Howard Chu <hyc@highlandsun.com> wrote:
> > I have ldap_t61s_to_utf8s() in libldap which can be used to address this
> > problem, but it still won't produce the intended result for
> your DN. Your
> > Latin-1 (ISO 8859-1) xFC (Latin small letter U with diaeresis -
> u umlaut)
> > is not correct for the T.61 Teletex definition. In T.61 xFC is the small
> > Icelandic thorn character.
> > Basically your DN is improperly constructed; xC8x55 is the correct T.61
> > sequence for (Latin small letter U with diaeresis - u umlaut).

> Improperly - but quite common, at least here in Germany. RFC2459
> also says
> that a TeletexString should be interpreted as Latin1:
>    In addition, many legacy implementations support names encoded in the
>    ISO 8859-1 character set (Latin1String) but tag them as
>    TeletexString.  The Latin1String includes characters used in Western
>    European countries which are not part of the TeletexString charcter
>    set.  Implementations that process TeletexString SHOULD be prepared
>    to handle the entire ISO 8859-1 character set.[ISO 8859-1]
> Is there already a function like ldap_t61s_to_utf8s for latin1?
> Implementing it shouldn't be much work since each code point in Latin1 is
> the same in Unicode.

The RFC states that after December 31 2003 all certificate DNs are required
to be in UTF8 encoding. That is a MUST. The reference to TeletexString is a
SHOULD, and implementations are allowed to disregard it.

The difficulty is that there is no way to tell whether a given TeletexString
is actually in the conformant T.61 encoding or in the non-conformant
ISO-8859-1 encoding. Since these encodings have incompatible mappings in the
0x80-0xff character range, you obviously can't have both at once.

I've just searched thru the OpenSSL library to see how they handle the
character set mapping issues. This is in crypto/asn1/a_mbstr.c, and they
just assume the Unicode character set is being used, there is no code that
actually manages the T.61 character set rules. I guess since they will never
give us a certificate whose DN was encoded in actual T.61 form, I'm
satisfied to ignore the T.61 rules and just use ISO 8859-1 instead.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support