[openssl-users] Strictness of comparing distinguished names

Jeffrey Walton noloader at gmail.com
Fri Oct 2 14:20:54 UTC 2015


> So I am wondering what the officially correct behavior is
> when verifying such a case.  Should the
> SignerInfo.issuerAndSerialNumber.issuer be treated as
> matching or as not matching a certificate in which an
> otherwise identical string is tagged differently but
> represents the same textual value (because it uses only
> the common subset of the two string encodings)?
DN's are required to be encoded with UTF8String since RFC 3280 (circa 2004).

RFC 4158,

Certification Path Building, tells us some agents may not handle
encodings well, like BMPString. I think you may have found a few
examples.

Jeff


More information about the openssl-users mailing list