Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] W2K IPsec tool?

From: Andreas Haumer (andreas_at_xss.co.at)
Date: Wed Mar 13 2002 - 21:57:35 CET

Next message: Andreas Steffen: "RE: [Users] W2K IPsec tool?"
Previous message: Andreas Steffen: "RE: [Users] W2K IPsec tool?"
In reply to: Andreas Steffen: "RE: [Users] W2K IPsec tool?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi!

Andreas Steffen wrote:
>
[...]
> > Is there a RFC which specifies the legal characters in
> > a DSN or is this "feature" a "Microsoftism"?
>
> you have touched a very sensitive subject where no clear-cut
> solutions exist - namely the coding of distinguished names
> containing special characters. E.g. the IETF PKIX RFC 2459
> "Internet X.509 Public Key Infrastructure Certificate and CRL Profile"
> defines the distinguished name to consist of the types
>
[...]

(I really love protocol specifications with lots of "MAY", "SHOULD"
and "CHOICE" :-)

>
> As you can see from this gibberish, Microsoft cannot be blamed when
> they have problems with the coding of special characters. The
> X.509 patch currently codes strings containing special characters
> as T61Strings whereas the latest version 1.3 of SSH Sentinel seems
> to code them as UTF8Strings.
>
Hm, but I blame them for not providing sane error messages!
"error in CertStrToName = -2146885597" is not what I call intuitive...
;-)

Even more if you take into account that you first have to enable
logging of these error messages by changing some obscure registry
entry. Otherwise Windows doesn't tell you a single word about
what is going wrong...

> As a general guideline I just can recommend to refrain from using
> special characters such as "umlauts", '+' or '&', and even '@' lately
> seems to pose some problems. I intend to make comparisons of
> such strings more tolerant in future versions of the X.509 patch,
> but there will always remain a certain risk that the two endpoints
> of an IPsec connection using distinguished names will have different
> opinions concerning the comparison of these IDs.
>
Yes, I believe so, too.

Would it be a good idea to include a short parapgraph about
this issue in your x509 Patch Installation & Configuration
Guide and/or in Marcus' installation instructions for his tool?

It might help people to avoid choosing problematic distinguished
names in the first place...

- andreas

-- 
Andreas Haumer                     | mailto:andreas_at_xss.co.at
*x Software + Systeme              | http://www.xss.co.at/
Karmarschgasse 51/2/20             | Tel: +43-1-6060114-0
A-1100 Vienna, Austria             | Fax: +43-1-6060114-71
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Andreas Steffen: "RE: [Users] W2K IPsec tool?"
Previous message: Andreas Steffen: "RE: [Users] W2K IPsec tool?"
In reply to: Andreas Steffen: "RE: [Users] W2K IPsec tool?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:42 CEST