Jean-Marc Desperrier wrote re using different character sets within certificates: > Maybe it would be adequate to require that the CA applies a policy that > lowers the risk of homograph spoofing attacks. Nameprep and the IDN > language-specific registration policy applicable to the language(s) the > CA wishes to include in it's certificate might be adequate references.
Gerv is well-versed in this topic from his work with IDN and domain name registrars. In fact, as I understand it, we implemented restrictions to prevent use of IDN for particular top-level domains until the registrars for those domains had appropriate controls in place. In theory at least we could do a similar thing with CAs, with a metadata flag stored with their root certs to control this. > Though I feel it's an important point that nothing has been required > until now for the CA already included in the list, and that, as far I > know, nothing restricts them from including non US-ASCII content in the > certificates they issue. I honestly don't know what the current status is, either with regard to support for non US-ASCII strings within certs, or use of such strings by CAs. I've made a note of this on the "CA recommended practices" wiki page, as a reminder. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
