Hello Kurt! We don't fill in the CN of a certificate. We verify that in the CSR of the customer the subject:CommonName is part of the extensions:subjectAltName (as required in BRGs 7.1.4.2.2.a). So we would only issue a certificate with:
{ CN = xn--gau-7ka.siemens.de SAN = xn--gau-7ka.siemens.de, gauss.siemens.de } but not with { CN = gauß.siemens.de SAN = xn--gau-7ka.siemens.de, gauss.siemens.de } And technically I don't see any reason why someone would want to have a certificate with CN = gauß.siemens.de, as the unicode URL gauß.siemens.de is only of interest in the address bar of the browser and they perform the IDNA conversion. With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.twitter.com/siemens www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 > -----Ursprüngliche Nachricht----- > Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im > Auftrag von Kurt Roeckx via dev-security-policy > Gesendet: Donnerstag, 24. Januar 2019 10:04 > An: mozilla-dev-security-pol...@lists.mozilla.org > Betreff: Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international > domain names > > On 2019-01-24 9:47, Buschart, Rufus wrote: > > Good morning! > > > > I would like to sharpen my argument from below a little bit: If a CA gets a > > request to issue a certificate for the domain xn--gau- > 7ka.siemens.de, how can the CA tell, that xn--gau-7ka is a punycode string in > IDNA2008 and not only a very strange server name? At > least I don't have a glass bowl to read the mind of my customers. Therefor I > would say, it is perfectly okay to issue a certificate for xn-- > gau-7ka.siemens.de as long as you perform a successful domain validation for > xn--gau-7ka.siemens.de. > > Will you fill something in in the commonName? I think what is expected in the > commonName is what the user would type and expect > to see, I don't think the commonName should contain xn--gau-7ka.siemens.de. > If you have a commonName, I would expect that it > contains gauß.siemens.de. And if you create a commonName then, you are > required to check that it matches the xn--gau- > 7ka.siemens.de in the SAN. > > > Kurt > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy