Unicode for CAcert

First we have to research:

OpenPGP

OpenPGP is rather good in that area, since the OpenPGP standard defines UTF-8 to be the only encoding possible. (Likely a few applications don´t do that properly yet, but at least the standard is clear).

X.509

For X.509, I think there is a UTF8-String string-type, which could be used, but I don´t know much about the compatibility of the applications. I heard that there are a few standards which demand other stringtypes than UTF8String for specific fields, so the standards have to be examinde.

PHP

utf8_decode

Unicode exploits

We have to search for Unicode exploits that happened to other software, verify the Unicode handling routines that are implemented in the software that we are using, to see whether it can be exploited. One potential problem are Beginning-of-Unicode-character Bytes followed by 0x00 Bytes. Another often found problem are Non-Unicode Bytes inside a supposed to be Unicode string, which KDE for example likes to crash on.

TODO:

Help Needed

If you want to help us with the Unicode Taskforce, please contact us!

UnicodeTaskForce (last edited 2016-02-29 14:10:46 by AlesKastner)