View Issue Details

IDProjectCategoryView StatusLast Update
0000008Main CAcert WebsiteGPG/PGPpublic2015-03-03 21:16
Reporterroe Assigned ToSourcerer  
PrioritynormalSeveritymajorReproducibilityalways
Status needs reviewResolutionopen 
Product Version2005 
Target Version2015 Q1 
Summary0000008: Normalization of special characters when comparing names
DescriptionThere is a flaw in the name matching algorithm, eg. when matching the names on GPG key UIDs with the name in the CAcert database: Umlauts are not translated or normalized. The German Umlaut "ö" (o with two dots) is exactly the same as the two letter combination "oe", and the same goes for ü/ue and ä/ae.

So for instance, I have "Röthlisberger" on record with CAcert, while my GPG keys spell "Roethlisberger" (less charset hassle when using the oe form). I cannot add my perfectly valid GPG keys to my CAcert account because "Röthlisberger" does not match "Roethlisberger".

Lots of people with weird characters in their names prefer to sometimes use a plain 7bit ASCII version of their name, in order to avoid encoding hassle, and that seems to be perfectly legitimate and should be fully supported by CAcert.

Please fix the name matching algorithm to cather for German Umlauts and treat öäü the same as oeaeue and oau. Otherwise people with special characters in their names will not be able to use some features of CAcert.

There are probably similar problems with many other European languages, like French accents (éàèç) or nordic special letters.

The only alternative is to remind people that they should choose the same version of their name like they use on GnuPG keys and as they want the name to appear in SSL/TLS certs. (And, give people like me some option to change my name in the CAcert database to the 7bit US ASCII representation)
Additional InformationThe beginning of a special character translation table:
ö = oe = o
ü = ue = u
ä = ae = a
é = e
è = e
à = a
ç = c

(there are many more in other areas of the world -- these are just the ones which are common in Switzerland)
TagsNo tags attached.
Reviewed by
Test InstructionsTry to sign PGP keys with various variants of the name on record.

Relationships

related to 0000991 needs workNEOatNHNG commonName is wrongly burned on CSR 
related to 0000851 new Problems with diacritical letters in CAP-Form and certifcate 
related to 0001097 closedNEOatNHNG Special characters which have no HTML-entities are not properly escaped 
has duplicate 0000992 closedNEOatNHNG Problem with diacritic characters while adding PGP/GPG public key 
related to 0000089 needs workSourcerer GPG Revokation Escrow Service 
related to 0001079 needs work GPG key can not be revoked 
related to 0001184 closedBenBE Hex2bin function 
related to 0001354 needs reviewBenBE Problems with diacretics and non-latin1 characters 

Activities

roe

2005-09-02 06:18

reporter   ~0000001

Actually, it just says "No emails found on your key" now when I upload my (rather large) main key. I had to strip my key down to its bare essentials (just non-revoked uids and only self-sigs) in order to get the error message: "No suitable name combination could be matched from your PGP/GPG keys to what we have in the database ('Daniel Roethlisberger')"

duane

2006-08-08 06:12

developer   ~0000333

Is anyone able to propose a fix/patch for this at all?

stefanb

2009-04-20 10:46

reporter   ~0001376

Last edited: 2009-04-28 05:35

Character normalization table for Slovenian language:
?=C
?=c
Ž=Z
ž=z
Š=S
š=š
?=C
?=c
?=Dz/Dj
?=dz/dj
(it seems Manitis has problems with non-western encodings, so here's the link to those, and other characters: http://www.slovo.info/testuni.htm )

Alternative normalizations in the last two lines and rules depending on language would mean that names (first, last, middle, suffix) would need to entered by user, and confirmed by assurers in order to be made promoted into valid name variations.

My real name is "Štefan", but it is legal to write it as "Stefan" if there are (or might be) technical obstacles. I registered with "Stefan", because even government issued x509 certificates are normalized this way (even if "Stefan" is similar, but different valid name).

I warned my assurers about the difference in case we need to reassure. It says "Štefan" on CAP forms.

One day I'd love to get my real name into the certificates, but first just for testing purposes to make sure no important tool is terribly broken, and with always available option to revert to normalized name.

It would also be great if users could choose which variant of their name would be put into the client certificate, so they can have 2 name variants at the same time.

In my PGP key i have both names, but only the key with "Stefan" was signed by CAcert.

Werner Dworak

2012-12-20 17:54

updater   ~0003485

AFAIK there is no real solution possible. You can only create a second name in the GPG that matches the CAcert name, or you change the CAcert name (omit non-ASCII or non-ANSI character) to the GPG name.

felixd

2014-06-15 08:53

updater   ~0004831

Is it now possible with www/utf8_to_ascii ?

BenBE

2015-01-03 02:16

updater   ~0005218

See bug 0001354 for the bug fix as this was done in combination.

Eva

2015-01-06 21:18

updater   ~0005226

The tests for 1354 are exactly the same as for this bug. So tests for one bug should cound for both, as the relevant code is the same as well.

felixd

2015-03-03 21:13

updater   ~0005344

I did a test of 0001354 that had the same test instructions. => Test PASSED

Eva

2015-03-03 21:15

updater   ~0005347

I did a successfull test at 2015-01-20 22:11 as eneredd in bug 1354

Eva

2015-03-03 21:16

updater   ~0005348

As there are two successfull tests, please do your reviews

Issue History

Date Modified Username Field Change
2005-09-02 01:52 roe New Issue
2005-09-02 06:18 roe Note Added: 0000001
2006-08-08 06:12 duane Note Added: 0000333
2006-08-08 06:13 duane Status new => @30@
2006-08-14 02:47 duane Status @30@ => needs work
2006-08-14 02:47 duane Assigned To => Sourcerer
2009-04-20 10:46 stefanb Note Added: 0001376
2009-04-28 05:34 stefanb Note Edited: 0001376
2009-04-28 05:35 stefanb Note Edited: 0001376
2012-12-20 07:25 Werner Dworak Relationship added related to 0000089
2012-12-20 08:29 Werner Dworak Relationship added related to 0001079
2012-12-20 17:54 Werner Dworak Note Added: 0003485
2013-01-06 23:46 INOPIAE Relationship added has duplicate 0000992
2013-01-07 09:07 Werner Dworak Relationship added related to 0000991
2013-01-07 09:08 Werner Dworak Relationship added related to 0000851
2013-01-07 09:09 Werner Dworak Relationship added related to 0001097
2013-07-03 17:27 BenBE Relationship added related to 0001184
2014-06-15 08:53 felixd Note Added: 0004831
2015-01-03 00:32 BenBE Relationship added related to 0001354
2015-01-03 02:16 BenBE Test Instructions => Try to sign PGP keys with various variants of the name on record.
2015-01-03 02:16 BenBE Note Added: 0005218
2015-01-03 02:16 BenBE Status needs work => needs review & testing
2015-01-03 02:16 BenBE Product Version => 2005
2015-01-03 02:16 BenBE Target Version => 2015 Q1
2015-01-06 21:18 Eva Note Added: 0005226
2015-03-03 21:13 felixd Note Added: 0005344
2015-03-03 21:15 Eva Note Added: 0005347
2015-03-03 21:16 Eva Note Added: 0005348
2015-03-03 21:16 Eva Status needs review & testing => needs review