> So I am wondering what the officially correct behavior is > when verifying such a case. Should the > SignerInfo.issuerAndSerialNumber.issuer be treated as > matching or as not matching a certificate in which an > otherwise identical string is tagged differently but > represents the same textual value (because it uses only > the common subset of the two string encodings)? DN's are required to be encoded with UTF8String since RFC 3280 (circa 2004). RFC 4158, Certification Path Building, tells us some agents may not handle encodings well, like BMPString. I think you may have found a few examples. Jeff
