CABF test: certs with different subject/issuer encodings should be rejected #563
Description
RFC 5280 (mistakenly) allows the subject/issuer pair in a chain to have different ASN.1 types, effectively requiring verifiers to perform codec handling/codepoint normalization. This is bad, and CABF correctly forbids this by requiring the subject and issuer to be byte-for-byte equivalent, including the ASN.1 type.
This is covered under 7.1.4.1 Name Encoding.
Ref: https://cabforum.org/working-groups/server/baseline-requirements/documents/CA-Browser-Forum-TLS-BR-2.2.5.pdf (pg. 109f)