AW: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international domain names

Thu, 24 Jan 2019 02:36:48 -0800 

Hello Kurt!

We don't fill in the CN of a certificate. We verify that in the CSR of the 
customer the subject:CommonName is part of the extensions:subjectAltName (as 
required in BRGs 7.1.4.2.2.a). So we would only issue a certificate with:

{
CN = xn--gau-7ka.siemens.de
SAN = xn--gau-7ka.siemens.de, gauss.siemens.de
}

but not with

{
CN = gauß.siemens.de
SAN = xn--gau-7ka.siemens.de, gauss.siemens.de
}

And technically I don't see any reason why someone would want to have a 
certificate with CN = gauß.siemens.de, as the unicode URL gauß.siemens.de is 
only of interest in the address bar of the browser and they perform the IDNA 
conversion.

With best regards,
Rufus Buschart

Siemens AG
Information Technology
Human Resources
PKI / Trustcenter
GS IT HR 7 4
Hugo-Junkers-Str. 9
90411 Nuernberg, Germany 
Tel.: +49 1522 2894134
mailto:rufus.busch...@siemens.com
www.twitter.com/siemens

www.siemens.com/ingenuityforlife

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann 
Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive 
Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, 
Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; 
Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; 
WEEE-Reg.-No. DE 23691322

> -----Ursprüngliche Nachricht-----
> Von: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> Im 
> Auftrag von Kurt Roeckx via dev-security-policy
> Gesendet: Donnerstag, 24. Januar 2019 10:04
> An: mozilla-dev-security-pol...@lists.mozilla.org
> Betreff: Re: AW: Incident Report DFN-PKI: Non-IDNA2003 encoded international 
> domain names
> 
> On 2019-01-24 9:47, Buschart, Rufus wrote:
> > Good morning!
> >
> > I would like to sharpen my argument from below a little bit: If a CA gets a 
> > request to issue a certificate for the domain xn--gau-
> 7ka.siemens.de, how can the CA tell, that xn--gau-7ka is a punycode string in 
> IDNA2008 and not only a very strange server name? At
> least I don't have a glass bowl to read the mind of my customers. Therefor I 
> would say, it is perfectly okay to issue a certificate for xn--
> gau-7ka.siemens.de as long as you perform a successful domain validation for 
> xn--gau-7ka.siemens.de.
> 
> Will you fill something in in the commonName? I think what is expected in the 
> commonName is what the user would type and expect
> to see, I don't think the commonName should contain xn--gau-7ka.siemens.de. 
> If you have a commonName, I would expect that it
> contains gauß.siemens.de. And if you create a commonName then, you are 
> required to check that it matches the xn--gau-
> 7ka.siemens.de in the SAN.
> 
> 
> Kurt
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to