On 2019-01-24 12:08, Rob Stradling wrote:
Hi Kurt. BRs 7.1.4.2.2 says that the subject:commonName "MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1)." Fitting the U-label into subjectAltName:dNSName (an IA5String, not a UTF8String) would be...hard, so in practice the dNSName has to contain the A-label. So what does "is one of the values" mean? It's certainly valid to use the A-label in both the CN and SAN:dNSName. However, it's arguably invalid (or at least it's not obviously valid) to put the A-label in the SAN:dNSName and the corresponding U-label in the CN. (i.e., the U-label and the A-label are different representations of the same value, but they are not the same value).
I expect all fields in the subject to be things you can just read, so U-labels. It does not make sense to show users an A-label, they do not understand what that means. The fields in a subject allows writing things in Unicode, there is no reason not to use it. The A-label is really just an technical thing related to DNS, and so only belongs in places where for technical reasons you need to use it. If you want to show them rfc5280 says you "should" convert them to Unicode. For fields where you can write Unicode, there really isn't a reason to not put the Unicode in it directly.
So in my opinion, the CN would be "gauß.siemens.de", and the SAN would be "xn--gau-7ka.siemens.de". They might add some alternatives like gauss.siemens.de to the SAN, and you can then also use that as CN. (But I think they should stop using that ss for ß, and really use gauß.)
I think that if you want to force the use of A-labels in the CN field that you should really update RFC5280 and X.520, so that IA5String is the only option in CN. But that just doesn't make any sense.
Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
