Hello > -----Ursprüngliche Nachricht----- > Von: Hanno Böck <ha...@hboeck.de> > Gesendet: Donnerstag, 24. Januar 2019 12:36 > > On Thu, 24 Jan 2019 11:14:11 +0000 > "Buschart, Rufus via dev-security-policy" > <dev-security-policy@lists.mozilla.org> wrote: > > > You are right, of course there are mandatory RFC to take into account. > > But there is - to my knowledge - no RFC that says, you MUST NOT issue > > a certificate to a domain that could be interpreted as an > > IDNA2008 punycode. > > https://tools.ietf.org/html/rfc5891 > > 4.2.3.1. Hyphen Restrictions > > The Unicode string MUST NOT contain "--" (two consecutive hyphens) in > the third and fourth character positions and MUST NOT start or end > with a "-" (hyphen). > > This means you can't have a valid host name that is just xn--[something]. You > can only have it if it is also a valid IDN name. > I don't read it like this. This chapter describes the "Unicode string" which is the U-label before conversion. The hostname is the A-label after conversion and in the certificate you find the hostname. The RFC 3490 clearly addressed this issue:
While all ACE labels begin with the ACE prefix, not all labels beginning with the ACE prefix are necessarily ACE labels. Non-ACE labels that begin with the ACE prefix will confuse users and SHOULD NOT be allowed in DNS zones. But first of all this is only a SHOULD requirement and second it places the burden on the operator of the DNS zones. With best regards, Rufus Buschart Siemens AG Information Technology Human Resources PKI / Trustcenter GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.siemens.com/ingenuityforlife Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322 Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
