[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: invalid syntax when teletexstring



Erwann ABALEA wrote:
First, sorry for having placed this thread in private, that was
unintentional (maybe I should reconsider using a "reply to all" by
default). Group added.

2011/7/29 Howard Chu<hyc@symas.com>:
Erwann ABALEA wrote:
[...]
In fact, I know such a CA that was generated some months ago, with a
very large audience, and whose certificates are to be stored in an
LDAP structure. Czech Republic passport CA certificate. If you want to
know how it's used, and by who, we can talk about it in private, or
you can look at www.icao.int, search for Doc9303 documents, PKD
structure, etc. (In fact, I didn't know of this limitation, and I'll
look forward its impact in integrating the Czech certificates in the
OpenLDAP structures we sell and deploy).
I agree that UTF8String would have been a much better choice, but
X.509 doesn't prevent the use of T61String.
In the meantime, some products still don't support UTF8String in
certificates, a Novell proxy product (I don't remember its exact name)
is an example I encountered recently.

If that's the case, what solutions do you propose? We could accept T61String
if it only uses characters that are present in 7-bit ASCII of course. But
once you venture into 8-bit and extended/accented characters all bets are
off.

I'll need to grab this CA certificate back. I was asked to give my
opinion on whether it was to be considered valid or not.
Despite the fact that T61String is clearly deprecated in
RFC5280/3280/2459, and that ICAO has chosen to base their certificate
profile on RFC3280 (a bad choice), asking for a country to change its
root CA cert signing all its passports because that doesn't follow
rules I personally don't adhere to is difficult and counterproductive.
I wasn't the only one to have this idea, and it was accepted. I'm 99%
sure 7 bits didn't suffice. The remaining 1% will be fixed as soon as
I find the certificate.

Do you have any document or pointer to understand the task of
converting to/from T.61, and incompatible character sets you talked
about? I Googled for this, but I'm not sure of what I found (what I
found reminds me of old character sets we used many years ago in
France for the Minitel, with G1/G2 character groups, etc, not that far
from VT consoles).

You can reference this old draft; I wrote Appendix A and B to document the mapping as we understood it at that time. These Appendices were dropped from the final version because it was considered futile to attempt to document the T.61 character encoding rules.

http://tools.ietf.org/html/draft-ietf-ldapbis-strprep-00#appendix-A

You can also read libldap/t61.c; the code has been present in every OpenLDAP release since 2002 but is not compiled or used.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/