>I think part of what's going on here is a confusion between CAs and domain >name registrars. IIRC there was indeed some sort of agreement among domain >name registrars to implement special checking for internationalized domain >names.
There was no such agreement. TLD registries ask which language a name is in; some then do some filtering based on what characters they think are used by particular languages. This is far from a science and fails miserably for most European languages. >I think we (Mozilla) made this a condition for turning on IDN support in >Mozilla products for particular TLDs. True. And, IMHO, embarrassing to Mozilla. The reason for showing the Punycode for www.éxample.com but the actual characters for www.éxample.org takes a lot of stretching, to say the least. >However as you note I'm not aware of an agreement addressing similar measures >to be taken by CAs. Of course, it would have to be an agreement with *every* CA in your trust anchor pile, which is kind of unlikely. >Gerv Markham was pretty heavily involved in the IDN issues with domain name >registrars. I've copied him on this in hopes he can add more information. It will be interesting to see if he has anything to say about CAs, who are the real security concern here. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
