From: Michael D'Errico (mike-list@pobox.com)
Date: Tue Sep 15 2009 - 19:52:08 CDT
> What is the status of Unicode in PKI and X.509? Is UTF8STRING widely
> supported?
UTF8String has been mandated since January 1, 2004 for all new certificates,
except in the case where a name has been previously established using other
encodings. See the excerpt from RFC 3280 below (which has been superseded
by RFC 5280).
It's always possible that you'll run across some legacy software that was
written prior to the mandate, so you'll have to decide whether supporting
such systems is important to you.
Mike
From RFC 3280:
The DirectoryString type is defined as a choice of PrintableString,
TeletexString, BMPString, UTF8String, and UniversalString. The
UTF8String encoding [RFC 2279] is the preferred encoding, and all
certificates issued after December 31, 2003 MUST use the UTF8String
encoding of DirectoryString (except as noted below). Until that
date, conforming CAs MUST choose from the following options when
creating a distinguished name, including their own:
(a) if the character set is sufficient, the string MAY be
represented as a PrintableString;
(b) failing (a), if the BMPString character set is sufficient the
string MAY be represented as a BMPString; and
(c) failing (a) and (b), the string MUST be represented as a
UTF8String. If (a) or (b) is satisfied, the CA MAY still choose
to represent the string as a UTF8String.
Exceptions to the December 31, 2003 UTF8 encoding requirements are as
follows:
(a) CAs MAY issue "name rollover" certificates to support an
orderly migration to UTF8String encoding. Such certificates would
include the CA's UTF8String encoded name as issuer and and the old
name encoding as subject, or vice-versa.
(b) As stated in section 4.1.2.6, the subject field MUST be
populated with a non-empty distinguished name matching the
contents of the issuer field in all certificates issued by the
subject CA regardless of encoding.
The TeletexString and UniversalString are included for backward
compatibility, and SHOULD NOT be used for certificates for new
subjects. However, these types MAY be used in certificates where the
name was previously established. Certificate users SHOULD be
prepared to receive certificates with these types.
This archive was generated by hypermail 2.1.5 : Tue Sep 15 2009 - 19:55:10 CDT