Hello Kurt!
We don't fill in the CN of a certificate. We verify that in the CSR of the
customer the subject:CommonName is part of the extensions:subjectAltName (as
required in BRGs 7.1.4.2.2.a). So we would only issue a certificate with:
{
CN = xn--gau-7ka.siemens.de
SAN = xn--gau-7ka.siemens.de, gauss.siemens.de
}
but not with
{
CN = gauß.siemens.de
SAN = xn--gau-7ka.siemens.de, gauss.siemens.de
}
And technically I don't see any reason why someone would want to have a
certificate with CN = gauß.siemens.de, as the unicode URL gauß.siemens.de is
only of interest in the address bar of the browser and they perform the IDNA
conversion.
With best regards,
Rufus Buschart
Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany
Tel.: +49 1522 2894134
mailto:[email protected]
www.twitter.com/siemens
www.siemens.com/ingenuityforlife
Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike,
Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany;
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684;
WEEE-Reg.-No. DE 23691322
> -----Ursprüngliche Nachricht-----
> Von: dev-security-policy <[email protected]> Im
> Auftrag von Kurt Roeckx via dev-security-policy
> Gesendet: Donnerstag, 24. Januar 2019 10:04
> An: [email protected]
> Betreff: Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international
> domain names
>
> On 2019-01-24 9:47, Buschart, Rufus wrote:
> > Good morning!
> >
> > I would like to sharpen my argument from below a little bit: If a CA gets a
> > request to issue a certificate for the domain xn--gau-
> 7ka.siemens.de, how can the CA tell, that xn--gau-7ka is a punycode string in
> IDNA2008 and not only a very strange server name? At
> least I don't have a glass bowl to read the mind of my customers. Therefor I
> would say, it is perfectly okay to issue a certificate for xn--
> gau-7ka.siemens.de as long as you perform a successful domain validation for
> xn--gau-7ka.siemens.de.
>
> Will you fill something in in the commonName? I think what is expected in the
> commonName is what the user would type and expect
> to see, I don't think the commonName should contain xn--gau-7ka.siemens.de.
> If you have a commonName, I would expect that it
> contains gauß.siemens.de. And if you create a commonName then, you are
> required to check that it matches the xn--gau-
> 7ka.siemens.de in the SAN.
>
>
> Kurt
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
