Re: DN Encoding by UTF8String

[Richard Levitte - VMS Whacker <levitte@xxxxx>]

In message <200312151122.hBFBM9P15024@xxxxxxxxxxxxxxxxx> on Tue, 16 Dec 2003 00:22:09 +1300, pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann) said:

pgut001> Richard Levitte - VMS Whacker <levitte@xxxxx> writes:
pgut001> 
pgut001> >OpenSSL provides a limit set of rules for comparing DNs: it
pgut001> >does space normalization and a case insensitive compare for
pgut001> >PrintableString, and case insensitive comparison for
pgut001> >IA5String if the attribute type is emailAddress from pkcs#9.
pgut001> >For all other strings, a straight memcmp() is done.  Would
pgut001> >you say we're going overkill? 
pgut001> 
pgut001> Hmm, I don't know if it's a good idea to encourage this sort
pgut001> of behaviour (that is, apps that generate certs that require
pgut001> custom code in order to work).  Some years ago (after I
pgut001> snapped out of my X.520 delusion and switched to memcmp()) a
pgut001> vendor complained that cryptlib was failing to find a cert
pgut001> with a canonicalised name.  I told them to try the same thing
pgut001> with Netscape and MSIE, and fairly soon afterwards (within a
pgut001> matter of days, I think) they had a service release out that
pgut001> didn't try and modify names any more.
pgut001> 
pgut001> If cryptlib had still been using the X.520 comparison at that
pgut001> time, they might have gone ahead and deployed a product that
pgut001> failed in the field once it was exposed to other
pgut001> implementations.  Better to be strict and let darwinism do
pgut001> its work.  If Netscape had been less lenient about accepting
pgut001> all kinds of broken HTML, it wouldn't have encouraged the
pgut001> spread of apps that generate the broken HTML.

I understand your thoughts, and I agree that following the KISS
principle (does anyone need that explained?) is tempting.  However,
I'd say that your comparison between non-compliance with X.520
comparison rules and Netscape's boken HTML is flawed.  On one hand,
from the point of view of X.520, MSIE and Netscape are broken since
they don't follow the rules, and that's what you want to encourage.
On the other hand, Netscape's acceptance of some HTML was also broken
from the point of view of HTML, and you seem to want to discourage
that.  The conclusion is that you support breaking the rules in some
cases, while not in others.  That doesn't seem very consistent to
me...

Now from the point of view of "this makes sense", I can understand
your views, but I have to ask "from whose point of view?"  Is everyone
accepting Peter Gutmann as an authority?  I can accept that if that's
the common rule :-).

pgut001> >I'm not sure about that, since those special cases were
pgut001> >added fairly recently, after we got some user complaint, and
pgut001> >possibly after I had a run with the NIST PKI test bunch...
pgut001> 
pgut001> Are those test certs representative of real-world usage
pgut001> though?

Considering it's NIST we're talking about, I wouldn't be surprised if
there are some US gov. examples behind those tests...

-----
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
You don't have to be rich, a $10 donation is appreciated!

-- 
Richard Levitte     | http://richard.levitte.org/ | Tunnlandsv. 3
Levitte Programming | http://www.lp.se/           | S-168 36 Bromma
T: +46-708-26 53 44 |                             | SWEDEN
     "Price, performance, quality...  choose the two you like"