[openssl-users] Strictness of comparing distinguished names
noloader at gmail.com
Fri Oct 2 14:20:54 UTC 2015
> So I am wondering what the officially correct behavior is
> when verifying such a case. Should the
> SignerInfo.issuerAndSerialNumber.issuer be treated as
> matching or as not matching a certificate in which an
> otherwise identical string is tagged differently but
> represents the same textual value (because it uses only
> the common subset of the two string encodings)?
DN's are required to be encoded with UTF8String since RFC 3280 (circa 2004).
Certification Path Building, tells us some agents may not handle
encodings well, like BMPString. I think you may have found a few
More information about the openssl-users