Package: racoon Version: 0.7.1-1.2 This is half a bug and half a suggestion for enhancement. At the very least I want to write up a summary of my thoughts about the issue.
According to RFC 2459 and successors (the latest is RFC 5280), we should all be using UTF8 or Printable strings in certificates, to the exclusion of T61 and BMP. This is the PKIX recommendation for certificates issued from 2004 onwards, and I'm following it. OpenSSL still doesn't default to this behaviour, but it offers a pair of functions, ASN1_STRING_set_default_mask(unsigned long mask) and ASN1_STRING_set_default_mask_asc(char *p), to control this aspect. As of today, racoon does not call these functions; therefore its eay_str2asn1dn() uses Printable, T61 and BMP string encodings. An undocumented (i.e., one has to read the source code to find out about it) workaround exists: if in the configuration file the value of an asn1dn literal is a ~ followed by the hexadecimal representation of an ASN.1-encoded DN, this will bypass eay_str2asn1dn(). This works well but is not very user-friendly. => to do: describe this feature in the racoon.conf(5) man page. Now for the enhancement suggestion: A more pleasant solution than the use of hexadecimal notation would be to allow the string encoding rule to be spelled out in racoon.conf. This should be done on a per-DN basis, although the ability to change the global default may also be of some use. Syntactically, this could be achieved with a qualifier (see the syntax for the "my_identifier" keyword; currently only the "keyid" identifier type can have qualifiers) and a straightforward extension of function set_identifier_qual(). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
