[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DN Encoding by UTF8String

To: Russ Housley <housley@xxxxxxxxxxxx>, shimaoka@xxxxxxxxxxx, ietf-pkix@xxxxxxx
Subject: Re: DN Encoding by UTF8String
From: Harald Tveit Alvestrand <harald@xxxxxxxxxxxxx>
Date: Sun, 07 Dec 2003 23:51:59 -0800
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I must admit that I am not surprised.....

The encodings supported by older applications are many and various, but nearly all of them share one of two properties:

- They are US-ASCII compatible - When using non-US-ASCII characters, they are violating the X.509 standards that they claim conformance to

If declaring that a number of applications are violating the IETF standards, and not just the ITU standards, on January 1, 2004 will help bring that day closer, I'm all for it.

Sooner or later, the industry, IMHO, will have to embrace UTF-8 fully; supporting the mess we've created for ourselves forever is not in the best long term interest of the network.

As far as I know, there will be nobody coming to punish people issuing non-UTF-8 certificates after Jan 1, 2004 that contain non-UTF8 encoding. And people will violate the standards to keep their legacy applications running; that is how networks have always operated.

But IMHO, they should be ashamed of themselves when they do so, and strive towards eliminating the need for doing so as soon as possible. Not because I say so, but because it's for the long term good of the Internet.

My opinion.

Harald Alvestrand

--On 6. desember 2003 13:29 -0500 Russ Housley <housley@xxxxxxxxxxxx> wrote:

This was added to RFC 2459, and retained in RFC 3280, based on comments
from Harald Alvestrand.   As most of the recipients know, Harald is the
Chair of the IETF, and a member of the  IESG.  Tim Polk spent a lot of
time on this issue, negotiating the exact words with Harald and any
others.  The desire is for certificate issuers to embrace international
character sets.

Beyond this recap of the history, I will let Harald speak for himself.

Russ


----------------------- Original Message -----------------------
From:    Masaki SHIMAOKA <shimaoka@xxxxxxxxxxx>
To:      Tim Polk <tim.polk@xxxxxxxx>, Stephen Kent <kent@xxxxxxx>,
rhousley@xxxxxxxxxxxxxxx, wford@xxxxxxxxxxxx, dsolo@xxxxxxxxxxxx
Date:    Fri, 05 Dec 2003 16:09:10 +0900
Subject: DN Encoding by UTF8String

Dear Authors and WG Chairs,

RFC3280 mentioned that "all certificates issued after Dec 31, 2003 MUST
use UTF8String encoding".

However, it seems that some applications do not yet support UTF8String
respectably and the detail of name comparison rule does not consider
UTF8String sufficiently.

Therefore, existing CAs using except UTF8String for DN encoding SHOULD
do the following actions until solving these UTF8String problem.

     An encoding for issuer field of the certificates issued after 2004
     SHOULD be same as an encoding for subject field of CA certificate
     already issued.

Is this correct?

Of course, when the UTF8String problem solves, all certificates
issuedMUST use UTF8String encoding.
I worry that some confused CAs issue wrong certificates using UTF8String
encoding forcibly, even though the CA had used another encoding till now.

Best regards,
-----
Masaki SHIMAOKA

SECOM Trust.net
System Engineering Dpt.
Tel: +81 422 91 8498 (ext.3605)
Fax: +81 422 45 0536
e-mail: shimaoka@xxxxxxxxxxx

Follow-Ups:
- Re[2]: DN Encoding by UTF8String
  - From: Masaki SHIMAOKA

References:
- Re: DN Encoding by UTF8String
  - From: Russ Housley

Prev by Date: RE: Certificate Policy Standardization
Next by Date: RE: Cached OCSP responses vs. single entry CRLs
Previous by thread: Re: DN Encoding by UTF8String
Next by thread: Re[2]: DN Encoding by UTF8String
Index(es):
- Date
- Thread