Re: PKI and Unicode

From: Michael D'Errico (
Date: Tue Sep 15 2009 - 19:52:08 CDT

  • Next message: Vinodh Rajan: "Why Tibetan Composite Vowel Signs are discouraged ?"

    > What is the status of Unicode in PKI and X.509? Is UTF8STRING widely
    > supported?

    UTF8String has been mandated since January 1, 2004 for all new certificates,
    except in the case where a name has been previously established using other
    encodings. See the excerpt from RFC 3280 below (which has been superseded
    by RFC 5280).

    It's always possible that you'll run across some legacy software that was
    written prior to the mandate, so you'll have to decide whether supporting
    such systems is important to you.


     From RFC 3280:

        The DirectoryString type is defined as a choice of PrintableString,
        TeletexString, BMPString, UTF8String, and UniversalString. The
        UTF8String encoding [RFC 2279] is the preferred encoding, and all
        certificates issued after December 31, 2003 MUST use the UTF8String
        encoding of DirectoryString (except as noted below). Until that
        date, conforming CAs MUST choose from the following options when
        creating a distinguished name, including their own:

           (a) if the character set is sufficient, the string MAY be
           represented as a PrintableString;

           (b) failing (a), if the BMPString character set is sufficient the
           string MAY be represented as a BMPString; and

           (c) failing (a) and (b), the string MUST be represented as a
           UTF8String. If (a) or (b) is satisfied, the CA MAY still choose
           to represent the string as a UTF8String.

        Exceptions to the December 31, 2003 UTF8 encoding requirements are as

           (a) CAs MAY issue "name rollover" certificates to support an
           orderly migration to UTF8String encoding. Such certificates would
           include the CA's UTF8String encoded name as issuer and and the old
           name encoding as subject, or vice-versa.

           (b) As stated in section, the subject field MUST be
           populated with a non-empty distinguished name matching the
           contents of the issuer field in all certificates issued by the
           subject CA regardless of encoding.

        The TeletexString and UniversalString are included for backward
        compatibility, and SHOULD NOT be used for certificates for new
        subjects. However, these types MAY be used in certificates where the
        name was previously established. Certificate users SHOULD be
        prepared to receive certificates with these types.

    This archive was generated by hypermail 2.1.5 : Tue Sep 15 2009 - 19:55:10 CDT