IETF Logo Mail Archive

Re: [pkix] Strings in certificates

Sean Turner <sean@sn3rd.com> Mon, 25 January 2016 22:25 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92F031A1AA2 for <pkix@ietfa.amsl.com>; Mon, 25 Jan 2016 14:25:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4accN0RXPQ5q for <pkix@ietfa.amsl.com>; Mon, 25 Jan 2016 14:25:33 -0800 (PST)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE8B51A1A9B for <pkix@ietf.org>; Mon, 25 Jan 2016 14:25:32 -0800 (PST)
Received: by mail-yk0-x233.google.com with SMTP id v14so179122392ykd.3 for <pkix@ietf.org>; Mon, 25 Jan 2016 14:25:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=WDyc/gsxYJNTXkf89V9R7LV3Pvy7a2xz0MRkwdK3bJs=; b=m16+ISMqUVJrV5eFVIJndOh59n7tafcQJ+kKDSfQdtpSTQnUjYwm+MH64TaxA/p2t+ Hb4CMmKeIImaUaxoAyXTl/vhRTCC05Lkw8ElYjSEeMLgrmbw8Poir7cd4349qvEzxKwP sr0rrtZa2QUIJKbpRu6YhEUJPWPwhyAqL2D5Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=WDyc/gsxYJNTXkf89V9R7LV3Pvy7a2xz0MRkwdK3bJs=; b=c1ai3GEKkCCG6XLstSC690qVWDDtKQ0QsEPXxyOd1FAjErD7VWZNgdxKwt3dmuvPzZ 5Zc8Nwe81TNNc3XRXC2xv6Y9JXOp22VbI9Nx9yr2e5Tx1mg0OCLHrQkHlzeeliUMH+Q+ yAordMmMe5mdhwtKGrQ7KryZqShBjLeY1Bm0ivGupb0LuO2uLb9C+8ilX1VFdsA63VxI pNrVYPMAwUfZGdXKeGteDsCg+f+OTVjcYR1qAVYBnbOcwCswXShiXc169Emv1Tvxw/jN tKL48n8tbr/guTRMtlr0yK71ny7wWTeLOJcd7Ww1ggc7gEk7MRsGljpmIBfMUoPFaxlj IaWA==
X-Gm-Message-State: AG10YORN5RLIcKuQYSU7Z8bykhQrheGPldK5jzMcFk1bM4LYmysuxAjswVuczD2HQhwJ0w==
X-Received: by 10.129.148.2 with SMTP id l2mr9449722ywg.298.1453760732195; Mon, 25 Jan 2016 14:25:32 -0800 (PST)
Received: from [172.16.0.112] ([96.231.217.211]) by smtp.gmail.com with ESMTPSA id l128sm15742201ywd.5.2016.01.25.14.25.31 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 25 Jan 2016 14:25:31 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CAK6vND-NRgJVW9Qjg+vktv5s0TGhGtMBB76f5hQ77nvsqz9JXw@mail.gmail.com>
Date: Mon, 25 Jan 2016 17:25:30 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9FBB43B-47E7-4144-91EA-F5013A41BEA7@sn3rd.com>
References: <CAK6vND-NRgJVW9Qjg+vktv5s0TGhGtMBB76f5hQ77nvsqz9JXw@mail.gmail.com>
To: Peter Bowen <pzbowen@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/vFdKlQQvRQ-JiM45RqvUOfifJMI>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Strings in certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 22:25:34 -0000

My two cents …

On Jan 18, 2016, at 22:10, Peter Bowen <pzbowen@gmail.com> wrote:
> 
> In writing certlint (https://github.com/awslabs/certlint), I ran
> across several items related to strings in certificates that are
> slightly unclear.  I’m hoping that someone might be able to help
> clarify a few things:
> 
> 
> 1) TeletexString, BMPString, and UniversalString types of DirectoryStrings
> 
> RFC 5280 says CAs should not use TeletexString, BMPString, and
> UniversalString types for DirectoryStrings.  As early as 1999 (RFC
> 2459) these were flagged as deprecated.
> 
> Is there anything that has moved these to SHALL NOT/MUST NOT or are we
> still at SHOULD NOT?

I’d love to hear that CAs haven’t generated these string types for the last decade ….

> 2) VisibleString and BMPString types of DisplayText
> 
> RFC 5280 says:
>      Conforming CAs SHOULD use the
>      UTF8String encoding for explicitText, but MAY use IA5String.
>      Conforming CAs MUST NOT encode explicitText as VisibleString or
>      BMPString.
> 
> However the organization field of noticeref also uses DisplayText.  Do
> the same rules apply?

I remember something about this … ah yeah @ IETF 74:
https://ietf.org/proceedings/74/slides/pkix-3.pdf

I think it was just meant to apply to explicitText because that’s what was seen in the wild given the following statement in s4.2.1.4:
"Conforming CAs SHOULD NOT use the noticeRef option.”

> 3) Unicode normalization
> 
> A number of fields in certificates can take unicode strings.  Is there
> any specification as to how (or if) they should be normalized?

I thought there were references in s7 of RFC 5280 (and some tweaks in s5 of RFC 6818).  There’s also some additional information in RFC 6125.  In a perfect world, the output of precis (https://datatracker.ietf.org/wg/precis/documents/) would be adopted the world over.  I’m not going to hold my breath though.

spt

v2.23.0 | Report a Bug | By Email