Perhaps I'm missing something, but perhaps this would be a solution to
the T61 vs. Printable String problem which wouldn't require constraining
the certificate format in a non-X.500 sanctioned way:
When storing certificates in the cache, to index them by the DER of the
DN with all Printable String's converted to T61 format.
Similarily, when doing comparisons, compare the DER of the DN's with all
Printable String's converted to T61 format.
Granted, this is extra work, but if you do things right, you should only
need to do this once per certificate, and the time required to
cannonicalize the DN of the certificate (for internal purposes only)
should be swamped by the cryptographic activity to actually verify the
certificate itself.
Or am I missing something?
- Ted