1268225 - entrust: Invalid Teletext strings

Status: RESOLVED FIXED

(CA Program :: CA Certificate Root Program, task)

Description

[Kurt Roeckx]

There are various certificate with an invalid TeletexString / T61String.  An example is:
https://crt.sh/?id=17130928&opt=cablint

The organisationName contains the following (hex) bytes: 56 E4 65 73 74 F6 72 65
6B 69 73 74 65 72 69 6B 65 73 6B 75 73, which should probably represent "Väestörekisterikeskus", but it's not valid.

X.690 only sets defaults for G0, C0 and C1.  It does not set any value for G1, so using any GR code (E4) without first selecting G1 is clearly wrong.  There seem to be an assumption that 103 might be the default registration number, but that's not in any standard.  Also, in 103, character 6/4 (E4) is not mapped to the 'ä'.  In fact, in none of the allowed registration numbers by X.680 6/4 maps to an 'ä'.

On the other hand, latin1 (ISO/IEC 8859-1) does map the character at that place.  You can't just put a latin1 string in a TeletexString.

Also, https://tools.ietf.org/html/rfc5280#section-4.1.2.4 says:
 
   CAs conforming to this profile MUST use either the PrintableString or
   UTF8String encoding of DirectoryString, with two exceptions.

I don't think any of the exceptions apply.

Comment 1

[Kathleen Wilson]

Hi Bruce and Jay, Please resolve the issues listed in this bug, and update the bug with progress.

Comment 2

[Bruce Morton]

Hi Kurt/Kathleen,

We are aware of this bug, do have a fix and are currently testing. Will provide update when the fix has been deployed.

Thanks, Bruce.

Comment 3

[Bruce Morton]

The fix was implemented last week and this issue is not indicated by cablint at 
https://crt.sh/?cablint=1+week.

Thanks, Bruce.

Comment 4

[Kathleen Wilson]

Kurt, May we close as fixed?

Comment 5

[Kurt Roeckx]

Yes.