Re: PKI and Unicode

From: Michael D'Errico (mike-list@pobox.com)
Date: Tue Sep 15 2009 - 19:52:08 CDT

Next message: Vinodh Rajan: "Why Tibetan Composite Vowel Signs are discouraged ?"

Previous message: announcements@unicode.org: "[Unicode Announcement] Public Review Issue: Draft UTS #46: Unicode Compatible IDNA Preprocessing"
In reply to: Jonathan Rosenne: "PKI and Unicode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

> What is the status of Unicode in PKI and X.509? Is UTF8STRING widely
> supported?

UTF8String has been mandated since January 1, 2004 for all new certificates,
except in the case where a name has been previously established using other
encodings. See the excerpt from RFC 3280 below (which has been superseded
by RFC 5280).

It's always possible that you'll run across some legacy software that was
written prior to the mandate, so you'll have to decide whether supporting
such systems is important to you.

Mike

From RFC 3280:

    The DirectoryString type is defined as a choice of PrintableString,
    TeletexString, BMPString, UTF8String, and UniversalString. The
    UTF8String encoding [RFC 2279] is the preferred encoding, and all
    certificates issued after December 31, 2003 MUST use the UTF8String
    encoding of DirectoryString (except as noted below). Until that
    date, conforming CAs MUST choose from the following options when
    creating a distinguished name, including their own:

(a) if the character set is sufficient, the string MAY be
represented as a PrintableString;

(b) failing (a), if the BMPString character set is sufficient the
string MAY be represented as a BMPString; and

       (c) failing (a) and (b), the string MUST be represented as a
       UTF8String. If (a) or (b) is satisfied, the CA MAY still choose
       to represent the string as a UTF8String.

Exceptions to the December 31, 2003 UTF8 encoding requirements are as
follows:

       (a) CAs MAY issue "name rollover" certificates to support an
       orderly migration to UTF8String encoding. Such certificates would
       include the CA's UTF8String encoded name as issuer and and the old
       name encoding as subject, or vice-versa.

       (b) As stated in section 4.1.2.6, the subject field MUST be
       populated with a non-empty distinguished name matching the
       contents of the issuer field in all certificates issued by the
       subject CA regardless of encoding.

    The TeletexString and UniversalString are included for backward
    compatibility, and SHOULD NOT be used for certificates for new
    subjects. However, these types MAY be used in certificates where the
    name was previously established. Certificate users SHOULD be
    prepared to receive certificates with these types.

Next message: Vinodh Rajan: "Why Tibetan Composite Vowel Signs are discouraged ?"
Previous message: announcements@unicode.org: "[Unicode Announcement] Public Review Issue: Draft UTS #46: Unicode Compatible IDNA Preprocessing"
In reply to: Jonathan Rosenne: "PKI and Unicode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.5 : Tue Sep 15 2009 - 19:55:10 CDT