At 1:28 PM -0500 2/20/09, Benjamin Smedberg wrote: >On 2/20/09 12:11 PM, Nelson B Bolyard wrote: >> Benjamin Smedberg wrote, On 2009-02-19 07:39: >> >>> It sounds to me that we could and should fix this bug simply by disabling >>> punycode for the wildcard portion. >> >> I'm not sure what you're proposing here, Ben, or what effect you think >> it would have. > >I'm proposing that when Firefox displays the domain name of a site, it >should only use punycode display for the portion of the domain name which >actually appears in the certificate. So for a wildcard cert *.ijjk.cn, the >display would be > >xn--blahblahunreadablepunycode.ijjk.cn
This does not fix the problem that Eddy pointed out, that you don't need Punycode to make a sensible-looking domain name appear on the left of a wild-carded domain name. >I don't see how the attack could have been done without wildcards. CA >guidelines say that certificates should not be issued with homographic >characters that might cause confusion They do? Where? >, and as far as we know these >guidelines are being followed. Pointers, please. This is fascinating, if true. >The attack here takes place entirely within >the wildcard portion of the domain because that's the portion the CA can't >verify when they issue the certificate. That's true whether or not it is an IDNA label. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
