On Thu, Jan 24, 2019 at 8:17 AM Peter Bowen via dev-security-policy < [email protected]> wrote:
> > I agree with Rufus. There are really two issues here: > > 1) The original reports to the CAs claimed an issue because RFC 5280 > references the original IDNA RFCs (now known as IDNA2003). > > RFC 5280 says "Rules for encoding internationalized domain names are > specified in Section 7.2 <https://tools.ietf.org/html/rfc5280#section-7.2 > >." > Section 7.2 says: "one choice in GeneralName is the dNSName field, which is > defined as type IA5String. IA5String is limited to the set of ASCII > characters. To accommodate internationalized domain names in the current > structure, conforming implementations MUST convert internationalized domain > names to the ASCII Compatible Encoding (ACE) format as specified in Section > 4 of RFC 3490 before storage in the dNSName field." > > This makes it clear it is only discussing a case where a domain name is > processed that does not meet the IA5String semantics. Therefore both " > xn--foo-bar-ghost.example.com" or "zq--special.example.com" are both > acceptable in certificates as these do not need encoding and are valid > preferred name syntax. > > Thank you for weighing in on this Peter. I think your (and Rufus') interpretation of section 7.2 is a stretch, but I can admit that it isn't clear if the intent is to require conformance to RFC 3490 if the string does not require conversion. Given the ambiguity, I am now leaning toward treating these misissuance reports as invalid. 2) How should CAs handle this going forward? > > RFC 8399, dated May 2018, explicitly updates RFC 5280. It says "Conforming > CAs SHOULD ensure that IDNs are valid. This can be done by validating all > code points according to IDNA2008 [RFC5892]." Note that this is only a > "SHOULD". The CA/Browser Forum ballot 202 attempted to make this stricter, > requiring that CAs not issue for names that contain Reserved LDH labels > unless they start with the ACE prefix and the remainder is valid Punycode. > However this ballot failed. > > This leaves us at the point that CAs "SHOULD" ensure IDNs are valid, but > they may issue for names with any LDH label that passes the validation of > control required by the BRs. > > Maybe Mozilla should add something about acceptable LDH labels to the CA > policy? > > It appears that you proposed [1] an acceptable solution to the concerns raised with this part of ballot 202 [2], so before creating a Mozilla-specific policy I'd like to take another crack at solving it in the BRs. [1] https://cabforum.org/pipermail/public/2017-July/011774.html [2] https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/ > Thanks, > Peter > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
